This document discusses using FreeTDM to enable passive PRI call recording. FreeTDM provides a unified API for PSTN I/O and signaling across modules. Its PRI tapping module decodes D-channel messages and mixes voice streams from two spans for recording. Sangoma cards in high impedance mode are used, with one span for network traffic and one for CPE. FreeSWITCH can then use the tapped calls in its dialplan without changes for applications like recording.
Shedding light on PROFINET node development
Despite the availability of Real Time Ethernet in general and PROFINET in particular for many years there is still insecurity regarding the necessary hardware and software effort required to implement and certify a PROFINET node. This presentation aims to shed some light on node development based on 10 odd years practical experience in the development of PROFINET technology.
The presentation starts with some generic performance characteristics of Real Time Ethernet in general and PROFINET in particular. To satisfy these characteristics particular architectures are required and we enumerate these detailing the pros-and cons underlined with performance data and some experiences in the field. We finish up by discussing some future themes and their ramifications for the node developer.
Presented by:
Hans Dermot Doran, Head of Real Time Ethernet Research Group & Professor of Communication and Information Technologies, Institute of Embedded Systems, Zürich University of Applied Sciences
For training sessions, demonstration sessions by vendors of diagnostic tools and for stress testing of PROFIBUS DP networks, a compact “error generator” tool was developed. The decoding of UART characters, testing for trigger conditions, generation of errors on RS485, the HMI, etc. of an FPGA based error generator is discussed.
GRX is the global private network where telecom network operators exchange GPRS roaming traffic of their users. It’s also used for all M2M networks where roaming is used, and that is the case from some company’s truck fleet management system down to intelligence GPS location spybug tracking system.
GPRS has been there from 2.5G GSM networks to the upcoming LTE Advanced networks, and is now quite widespread technology, along with its attacks. GRX has had a structuring role in the global telecom world at a time where IP dominance was beginning to be acknowledged. Now it has expanded to a lightweight structure using both IP technologies and ITU-originated protocols.
In this presentation, we’ll see how this infrastructure is protected and how it can be attacked. We’ll discover the issues with specific telco equipment inside GRX, namely GGSN and SGSN but also now PDN Gateways in LTE and LTE Advanced “Evolved Packet Core”. We will see the implications of this with GTP protocol, DNS infrastructure, AAA servers and core network technologies such as MPLS, IPsec VPNs and their associated routing protocols. These network elements were rarely evaluated for security, and during our engagements with vulnerability analysis, we’ve seen several vulnerabilities that we will be showing in this speech.
We will demo some of the attacks on a simulated “PS Domain” network, that it the IP part of the Telecom Core Network that transports customers’ traffic, and investigate its relationships with legacy SS7, SIGTRAN IP backbones, M2M private corporate VPNs and telecom billing systems. We will also seem how automation enable us to succeed at attacks which are hard to perform and will show how a “sentinel” attack was able to compromise a telecom Core Network during one penetration test.
Shedding light on PROFINET node development
Despite the availability of Real Time Ethernet in general and PROFINET in particular for many years there is still insecurity regarding the necessary hardware and software effort required to implement and certify a PROFINET node. This presentation aims to shed some light on node development based on 10 odd years practical experience in the development of PROFINET technology.
The presentation starts with some generic performance characteristics of Real Time Ethernet in general and PROFINET in particular. To satisfy these characteristics particular architectures are required and we enumerate these detailing the pros-and cons underlined with performance data and some experiences in the field. We finish up by discussing some future themes and their ramifications for the node developer.
Presented by:
Hans Dermot Doran, Head of Real Time Ethernet Research Group & Professor of Communication and Information Technologies, Institute of Embedded Systems, Zürich University of Applied Sciences
For training sessions, demonstration sessions by vendors of diagnostic tools and for stress testing of PROFIBUS DP networks, a compact “error generator” tool was developed. The decoding of UART characters, testing for trigger conditions, generation of errors on RS485, the HMI, etc. of an FPGA based error generator is discussed.
GRX is the global private network where telecom network operators exchange GPRS roaming traffic of their users. It’s also used for all M2M networks where roaming is used, and that is the case from some company’s truck fleet management system down to intelligence GPS location spybug tracking system.
GPRS has been there from 2.5G GSM networks to the upcoming LTE Advanced networks, and is now quite widespread technology, along with its attacks. GRX has had a structuring role in the global telecom world at a time where IP dominance was beginning to be acknowledged. Now it has expanded to a lightweight structure using both IP technologies and ITU-originated protocols.
In this presentation, we’ll see how this infrastructure is protected and how it can be attacked. We’ll discover the issues with specific telco equipment inside GRX, namely GGSN and SGSN but also now PDN Gateways in LTE and LTE Advanced “Evolved Packet Core”. We will see the implications of this with GTP protocol, DNS infrastructure, AAA servers and core network technologies such as MPLS, IPsec VPNs and their associated routing protocols. These network elements were rarely evaluated for security, and during our engagements with vulnerability analysis, we’ve seen several vulnerabilities that we will be showing in this speech.
We will demo some of the attacks on a simulated “PS Domain” network, that it the IP part of the Telecom Core Network that transports customers’ traffic, and investigate its relationships with legacy SS7, SIGTRAN IP backbones, M2M private corporate VPNs and telecom billing systems. We will also seem how automation enable us to succeed at attacks which are hard to perform and will show how a “sentinel” attack was able to compromise a telecom Core Network during one penetration test.
Philippe Langlois - LTE Pwnage - P1securityP1Security
Today, we’re entering the realm of LTE super high speed always-on connectivity and with that comes the victory of TCP/IP in front of the old ITU/3GPP protocols. And with this comes many side effects: software gets standardized, everything runs on top of ATCA (Advanced Telecom Computing Architecture) hardware running mostly Linux -give or take 6 or 8 proprietary FPGA-based sister cards, TFTP-booted with decade old VxWorks that routinely show hardcoded DES credentials and funny “behaviour”. Easily 20 GB of fat C++ binaries, some for x86, PPC, MIPS, some with up to 200 Mbytes file sizes for one single EXE! It’s called a vulnerability research and reverse engineering paradise… or hell.
All the protocols now run on top of IP, which ends up having 12 layers thanks to encapsulation and still the weight of legacy in bugs quantity and diversity. We’ll see how the porting of SS7 MAP on top of IP (SIGTRAN, Diameter) has given rise to funny Denial of Service (DoS) attacks against telecom core elements (DSR, STP), with trashy-crashy anti-forensics consequences for DPI and tracking (Hey @grugq!!).
We’ll look into specific vulnerabilities, and talk about the very particular way that Network Equipment Vendors deal with security in the telecom domain.
We will demo a virtualized Huawei HSS from our testbed and show some of the vulnerabilities and attacks directly on the equipment itself. We will finally talk about telco equipment and product security reviews and the fallacy of (some) certification and (many) standardization attempts. We will then see how to conduct a practical and fast telecom product security life cycle with automation and open source tools.
To gain an understanding of the way in which
PROFINET devices communicate with one
another over Ethernet.
• To learn how to capture the PROFINET
Frames using Wireshark®.
• To see how Wireshark® can be used to analyse
the captured frames to gain an understanding
of the various protocols.
• This is a topic covered in more detail in the
Certified PROFINET Engineers Course
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksJim Geovedi
In 2010 a number of practical high-profile attacks against GSM has been discussed and demonstrated. Still it should be noted that those only work against GSM (2G) which has been standardised in the early 90s. It was followed by the 3G family of standards in 2000 which in turn are currently superseded (better: complemented) by yet another generation (4G). LTE (4G) which is expected to be "the next big thing in mobile telco business" has an all-IP network architecture that is much flatter than the earlier architectures' ones.
Like its predecessor PROFIBUS, PROFINET is a diagnostic-rich protocol allowing your support team to quickly identify the source of device-related problems. This however is of limited use if the underlying performance of your network is poor. PROFINET networks are often seen as the plug and play solution for industrial networks, giving you the impression that successful completion of your application-specific testing is a guarantee that your network is working efficiently and without errors. This is fundamentally wrong and needs to be considered at the design stage as well as the acceptance stage of a project. This presentation will discuss the issues, how to address them and give typical examples of the equipment required.
The use of embedded and removable card universal flash storage (UFS) in the fast-moving mobile market is growing, and designers are looking for ways to accelerate their design development and verification process. In this presentation, Rui Terra of Synopsys describes how using FPGA-based prototyping systems with pre-verified UFS and UniPro IP reference designs enable designers to easily develop their required software, test their device’s interoperability and ensure compliance.
Philippe Langlois - LTE Pwnage - P1securityP1Security
Today, we’re entering the realm of LTE super high speed always-on connectivity and with that comes the victory of TCP/IP in front of the old ITU/3GPP protocols. And with this comes many side effects: software gets standardized, everything runs on top of ATCA (Advanced Telecom Computing Architecture) hardware running mostly Linux -give or take 6 or 8 proprietary FPGA-based sister cards, TFTP-booted with decade old VxWorks that routinely show hardcoded DES credentials and funny “behaviour”. Easily 20 GB of fat C++ binaries, some for x86, PPC, MIPS, some with up to 200 Mbytes file sizes for one single EXE! It’s called a vulnerability research and reverse engineering paradise… or hell.
All the protocols now run on top of IP, which ends up having 12 layers thanks to encapsulation and still the weight of legacy in bugs quantity and diversity. We’ll see how the porting of SS7 MAP on top of IP (SIGTRAN, Diameter) has given rise to funny Denial of Service (DoS) attacks against telecom core elements (DSR, STP), with trashy-crashy anti-forensics consequences for DPI and tracking (Hey @grugq!!).
We’ll look into specific vulnerabilities, and talk about the very particular way that Network Equipment Vendors deal with security in the telecom domain.
We will demo a virtualized Huawei HSS from our testbed and show some of the vulnerabilities and attacks directly on the equipment itself. We will finally talk about telco equipment and product security reviews and the fallacy of (some) certification and (many) standardization attempts. We will then see how to conduct a practical and fast telecom product security life cycle with automation and open source tools.
To gain an understanding of the way in which
PROFINET devices communicate with one
another over Ethernet.
• To learn how to capture the PROFINET
Frames using Wireshark®.
• To see how Wireshark® can be used to analyse
the captured frames to gain an understanding
of the various protocols.
• This is a topic covered in more detail in the
Certified PROFINET Engineers Course
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksJim Geovedi
In 2010 a number of practical high-profile attacks against GSM has been discussed and demonstrated. Still it should be noted that those only work against GSM (2G) which has been standardised in the early 90s. It was followed by the 3G family of standards in 2000 which in turn are currently superseded (better: complemented) by yet another generation (4G). LTE (4G) which is expected to be "the next big thing in mobile telco business" has an all-IP network architecture that is much flatter than the earlier architectures' ones.
Like its predecessor PROFIBUS, PROFINET is a diagnostic-rich protocol allowing your support team to quickly identify the source of device-related problems. This however is of limited use if the underlying performance of your network is poor. PROFINET networks are often seen as the plug and play solution for industrial networks, giving you the impression that successful completion of your application-specific testing is a guarantee that your network is working efficiently and without errors. This is fundamentally wrong and needs to be considered at the design stage as well as the acceptance stage of a project. This presentation will discuss the issues, how to address them and give typical examples of the equipment required.
The use of embedded and removable card universal flash storage (UFS) in the fast-moving mobile market is growing, and designers are looking for ways to accelerate their design development and verification process. In this presentation, Rui Terra of Synopsys describes how using FPGA-based prototyping systems with pre-verified UFS and UniPro IP reference designs enable designers to easily develop their required software, test their device’s interoperability and ensure compliance.
In Red Hat Enterprise Linux 7 a new method of interacting with netfilter has been introduced: firewalld.
firewalld is a system daemon that:
Can configure and monitor the system firewall rules
Applications can talk to firewalld to request ports to be opened using the Dbus messaging system
Both covers IPv4, IPv6, and potentially ebtables settings is installed from the firewalld package. This package is part of a base install , but not part of a minimal install
Simplifies firewall management by classifying all network traffic into zones.
Vision ONE enables security tools to gain reliable and efficient access to relevant data with minimal effort, ensuring that security solutions don't contain hidden blind spots.
The Intel MCS-51 (commonly referred to as 8051) is a Harvard architecture, CISC instruction set, single chip microcontroller (µC) series which was developed by Intel in 1980 for use in embedded systems.[1] Intel's original versions were popular in the 1980s and early 1990s and enhanced binary compatible derivatives remain popular today.
PLNOG14: Fortinet, Carrier and MSSP - Robert DąbrowskiPROIDEA
Robert Dąbrowski - Fortinet
Language: English
The presentation covers types of projects as well as specific examples of FORTINET activity in the telecommunications sector.
It showcases technologies, their development and advancement driven by the needs of service providers for securing the ISP infrastructure and MSSP service distribution.
Register to the next PLNOG edition today: krakow.plnog.pl
Why Session Border Controllers?
Product Portfolio of the Session Border Controller
Business Applications and Use Cases (Vega ESBC)
Carrier/Service Provider Applications and Use Cases (NetBorder SBC)
Sangoma SBC Load Balancing and Failover Techniques
SBC Walkthrough
Conceptual Overview of the SBC Call Processing Components
Introduction and Configuration of SIP Profiles
Introduction and Configuration of Domain Profiles
Introduction and Configuration of Media Profiles
Introduction and Configuration of SIP Trunks
Introduction and Configuration of Call Routing
Walkthrough
PLNOG14: Czy można żyć bez systemu ochrony przed atakami DDoS - Marek JanikPROIDEA
Marek Janik - Huawei
Language: Polish
W trakcie sesji postaram sie zaprezentować sposoby ochrony sieci przed atakami DDoS, zarówno ogólno dostępnych, specjalizowanych oraz jako forma usługi od operatora lub dedykowanej firmy. Po prezentacji będzie można samemu ocenić czy „jakieś” i „jakie” rozwiązanie AntiDDoS jest potrzebne ze względu na prowadzona działalność w Internecie.
Zarejestruj się na kolejną edycję PLNOG już dzisiaj: krakow.plnog.pl
Flex coherent and open API bring a fresh, state-of-the-art software development approach to the broader community of network software developers.
They will be able to fully and directly control and monitor the rich transport feature set optimized for SDN and cloud use cases.
Transport SDN & OpenDaylight Use Cases in KoreaJustin Park
In Korea, wired telecommunications carriers have been using assorted transport technologies with diverse network appliances. In order to reduce CAPEX and to avoid vendor lock-in, these transport networks are often comprised of multi-vendor and multi-domain equipment, which leads to high complexity and incompatibility. To overcome this obstacle, research organizations and local telecommunications carriers have been investigating and analyzing the feasibility of transport SDN technology. This talk dishes on the latest trend in Korea telecommunications carriers and the status of their transport SDN technology.
Analysis of the Pending Interest Table behavior in the context of a distributed denial of service attack.
Slides presented at:
3rd ACM SIGCOMM Workshop on Information-Centric Networking (ICN 2013) - Hong Kong, China
The paper is available at:
http://conferences.sigcomm.org/sigcomm/2013/papers/icn/p67.pdf
Scaling FreeSWITCH to high cps and number of concurrent calls.
You'll learn about how the FreeSWITCH internals work and how to tweak them to improve different call scenarios. You'll learn about OS and environment changes that can help to remove bottlenecks and ensure audio quality.
2. Agenda
• What is FreeTDM.
• FreeTDM API basics.
• PRI passive line monitoring.
• ftmod_pritap – The FreeTDM PRI tapping module.
• PRI tapping with FreeSWITCH.
02 Aug-2010 / 2
5. FreeTDM Architecture
• FreeTDM is the new name of OpenZAP.
• FreeTDM introduces new features and better integration with new
Sangoma signaling stacks.
• Sangoma is committed to support FreeTDM and use it as its own
signaling and I/O high level API.
02 Aug-2010 / 5
6. FreeTDM API basics
• Span and channel-based API
• I/O API
– ftdm_channel_open()
– ftdm_channel_read/write()
– ftdm_channel_wait()
– ftdm_channel_command()
– ftdm_channel_close()
– ftdm_span_poll_event()
– ftdm_span_next_event()
02 Aug-2010 / 6
7. FreeTDM API basics
• Call control API (signaling)
– ftdm_channel_call_place()
– ftdm_channel_call_indicate()
– ftdm_channel_call_hold/unhold()
– ftdm_channel_call_hangup()
• Outgoing call events through callbacks
– SIGEVENT_START, SIGEVENT_STOP, SIGEVENT_PROGRESS,
SIGEVENT_UP etc.
02 Aug-2010 / 7
13. PRI Passive Monitoring
• 2 Sangoma ports needed per link.
• Tapping box (PN 633) ensures quality.
• High impedance mode in the card.
• Wanpipe drivers drop any tx data.
• One port for Tx NET, other for TX CPE
Span 1 Span 2
02 Aug-2010 / 13
14. PRI Passive Monitoring
• Raw tapping can be achieved with wanpipemon (pcap file).
• Raw access to D-channel messages through libsangoma.
• Voice from NET in span 1, voice from CPE in span 2. In this mode,
mixing is up to the user.
02 Aug-2010 / 14
15. FreeTDM PRI Tapping Module
• Easier API in C for PRI tapping.
• You configure your spans with “pritap” signaling.
• Calls are reported through regular SIGEVENT_ messages.
• Using I/O FreeTDM API you can access the mixed stream.
– ftdm_channel_read(ftdmchan) returns the stream already mixed.
02 Aug-2010 / 15
17. FreeTDM PRI Tapping Module
• Uses passive version of libpri for message decoding.
– http://svn.digium.com/svn/libpri/team/moy/tap-1.4/
• Decodes IE’s on SETUP, PROCEED, ALERTING, CONNECT,
DISCONNECT, etc
• Planning to move to independent decoder to drop dependency.
• Configure FreeTDM with –with-pritap to enable ftmod_pritap.so.
02 Aug-2010 / 17
20. FreeSWITCH PRI tapping
• No changes at all needed in FreeSWITCH.
• FreeTDM reports tapped calls to FreeSWITCH as regular incoming
calls.
• You use FreeSWITCH dial plan to do recording, logging or any
other supported FreeSWITCH application on the tapped call.
– <action application=“record” data=“….”>
• Any application doing any writing won’t really do anything.
02 Aug-2010 / 20
23. Conclusion
• You can build now a passive call recorder/logger easily.
• Tapped system can be any PRI switch/telco.
• Available in API mode or using standard FreeSWITCH/FreeTDM
integration.
• Extensible through regular dial plan logic (XML, LUA etc).
02 Aug-2010 / 23