Security model-of-sip-d2-05 at kishore
-
Upload
at-kishore-ieee-comsoc -
Category
Documents
-
view
339 -
download
2
description
Transcript of Security model-of-sip-d2-05 at kishore
Alcatel-Lucent - Proprietary
A T KishoreJanuary 31st, 2008
“Security Model” of SIP
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
Agenda1. Security is Ever Pervasive
2. SIP is no exception
3. Introducing SIP CIA Model
4. ‘Always ON’
5. Call Flow Scenarios
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
Security is Ever Pervasive
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
Alcatel-Lucent’s resources are pioneers in the knowledge that drives security innovations
About Alcatel-Lucent Leadership and Expertise in Security
Patents and standardization: R&D leadership
Hundreds of patents in security, cryptography, biometrics, firewalls, denial of service and virus detectionITU Standards Visionary (X.805) then ISO 18028Major player in ITU-T SG 17 –Lead Study Group on Communication System SecurityCERT-IST operation, FIRST membership since 1999Bell Labs leadership in:
Creation of new cryptography (SHAZAM for CDMA2000, PAK)Breaking of old cryptography (PKCS#1, DSA, SOBER, Clipper)Development of optical-rate encryption ciphers and NSA-certified encryptors
Pioneering work in provable securityBiometrics (voice authentication with secured models)High-speed encryption hardware (e.g., for SANs)Integration of 802.11 and 3G AAAWatermarking
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
Building security into the DNA of complex systems
The Bell Labs Security FrameworkITU/X.805 Security StandardISO 18028 Security Standard
The Bell Labs Security FrameworkITU/X.805 Security StandardISO 18028 Security Standard
Infrastructure Services Applications
End User
Control / Signaling
Management
Layers
Planes
MODULE 1 MODULE 4 MODULE 7
MODULE 2 MODULE 5 MODULE 8
MODULE 3 MODULE 6 MODULE 9
Access Control
Authentication
Non-Repudiation
Data Confidentiality
Comms Security
Data Integrity Privacy
Availability (9 modules X 8 cells = 72 security cells)
Alcatel-Lucent Bell Labs Security FrameworkThe international standard to build secure-by-design communications solutions
THREATS
ATTACKS
Destruction
Disclosure
Corruption
Removal
Interruption
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
Viruses are just one part of a greater danger: cybercrime
Viruses are now used as ‘tools’ to:
Install backdoors
Steal identity data
Mount major attacks
Major attacks for rent
A menacing change
in attacker skill
and motivation
Security trendsHacker ‘professionalism’ on the rise
VirusVirusVirus
BackdoorBackdoorBackdoor
SPAMSPAMSPAM
Targetedattacks
TargetedTargetedattacksattacks
MajorattacksMajorMajor
attacksattacks
(ex: Autoproxy, Sobig)
(ex: Bugbear.b, Sobig)
Financial data theft
Financial Financial data data thefttheft
38 to 750 €75 €/week380 €0.35 €/bot0.15 €/bot
On-demand DDOS attack
20000 proxy for spam
Network of 500 bots (= zombies)
Exclusive access to a bot
Non-exclusive access to a bot
(source CLUSIF)
“Virus makers are becoming mercenaries.”
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
Web-based commerce
Regulatory Requirements & Homeland
Security
Attacks increasing in sophistication and impact
External and internal threats
and vulnerabilities
Need for privacy, reliability and
availability
Increasingly complex
technology
Security –The Jobs to do
Operational challenges, patch
management
Outsourcing and Application
Hosting
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
SIP is no Exception
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
Tackling SIP Security -General SIP servers
Execution phases for all incoming SIP messages:
Reception
Parsing computationally intensive for SIP!
Processing
Marshalling & transmission
Network socket buffer Network socket buffer
General multi-threaded SIP server
Parsing Processing
Parsing Processing
Parsing Processingthread
Depend on type of message and SIP element
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
Tackling Prioritizing SIP servers
Modifications:
Prioritization mechanism
Message priority queue
On-demand parsing during prioritization and processing
Network socket buffer Network socket bufferMessage priority queue
Prioritizing SIP server
Pre-parsing & prioritization
Pre-parsing & prioritization
Remainder parsing &
processing
Remainder parsing &
processing
Remainder parsing &
processing
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
Tackling SIP Security-Message processing stages
ProcessingParsingGeneral SIP server
SIP server with on-demand parsing Parsing on-demand during processing
Prioritizing SIP server with efficient parsing Parsing on-demand during processing
Parsing on-demand during prioritization
Queuing
Measured sojourn time (excluding network buffer)
Parse only what is strictly necessary in combination with an efficient header field recognition algorithm
Prioritization policies based on message characteristics, system state, and statistics
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
Tackling SIP Security-Prioritizing SIP server
Pre-parsing
Prioritizing
Processing
SIP devices
Service Provider
SIP server1
SIP servern
Drop
SIP messages
Policy
Dynamic adaptation to real-time conditions
Policy definition
Bell Labs Java SIP stack
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
All Corners Of Security Challenges
SIP Pressure of reducing operational costs &
Competition
Need to boost Market confidence in security of VoIP, XoIP transactions
Regulatory requirements
Hacking & other attacks
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
Introducing SIP CIA Model
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
The CIA Triad is a widely used information assurance model. It consists of:
ConfidentialityIntegrityAvailability
Confidentiality
Ensuring that information is accessible only by those who are authorized.
Integrity
Ensuring that information is pristine/unaltered/complete.
Availability
Ensuring that the Information is available as per the needs.
Keys, Values & Codes CIA model for SIP Security
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
Keys, Values & Codes CIA model for SIP Security
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007- 17 -
Session Universe-People, Processes and Enablewhare
SIP AS
Peop
le
Process
Technology
People• Awareness about
importance of SIP Security compliance
• Convergence mind set
Process• Feedback loops with automated
and interactive web based solutions to tie people, process and technologies together
SIP/IMS Technology• Adaptive Messages for
data gathering & analysis• Platforms, Subsystems• Databases
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
CIA model for SIP Security
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
The Model is ‘Always ON’
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
Two Parts to the Security Strategy
Value Prop – Create Revenue
a. Enhances the Trust Model
1. End-to-end security approach in NGN
2. A solution – not more point products
3. Centralize management for response
b. Lower the Opex of Security Management
1. Central event correlation manager
2. Central resource manager
Value Prop - Enhance the Brand
a. Different from the competition
b. Creates a foundation for “trustworthiness”
• Part One: Security Inside
Part Two: Keeping IT Secure
Protect the network, keep it “trustworthy”
Integrated to lower the opex of security
Centralized Security
Management
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
Enterprise Security Solutions
Systems IntegratorsSystems IntegratorsSystems IntegratorsNetwork service providers
Network service Network service providersproviders
Data/Converged VARS
Data/Converged Data/Converged VARSVARS
SIP is perhaps the latest and effective digital bridge of all knSIP is perhaps the latest and effective digital bridge of all known own bridges bridges
Nonstop Laptop guardianNonstop Laptop guardian
Pre/post admission control
Pre/post admission control
User AwareNetwork Security
Mobile Users SecurityKey Business Critical Application Security
Web ServicesGateway
Web ServicesGateway
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
Personal Call Manager
PECaBoo
Allege – WorkTrack/ Field Supervisor
Enterprise Applications
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
A Location-based Service Product from Bell Labs Research & Mobility/IN
A Location-based Service Product from Bell Labs Research & Mobility/IN
iLocator Features
A location-based track application / platform
Tracks people/events/places on a map
People: Track buddies within a vicinity
Events: Track if there is a sale or a traffic-jam nearby
Places: Display preferred shops, ATMs, gas stations, and restaurants in the user’s vicinity
Enables custom services targeting enterprises, families, govt.
For example, TeenTracker, FleetTracker, DirectionFinder
Supports SMS’ing from within the application
Works across network types, location techniques, handsets
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
Consumer Applications >> Data Messaging
PhonePages PeCaBoo
A phonepage is a light-weight home page added to your phone number
Subscribers push their pages to callers and receive pages on calls from other subscribers
Drives data session usage by letting subscribers surf during and after calls
Servicesused
Multiparty Call Control
User Interaction (WAP Push, SMS)
Displays in connection with phone calls
Different features at different events (for example, calling, rejected, busy)
Displays in multiple formats (for example, WAP, SMS, e-mail, etc.)
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
Enterprise Applications >> Data Messaging
EWay
Provides remote and secure access to enterprise networks for mobilizing and telecom-enabling enterprise IT applications and systems
Supports communication capabilities such a messaging, call management, content charging, presence and availability management, and universal service access through, web, WAP and interactive voice
Servicesused
Call Control
User Interaction
Mobile internet and IVR access to MS Exchange and Outlook
Outbound call management with click- to-dial and voice activated dialing from contact lists
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
Consumer & Enterprise Applications
Fuzion
End-users specify personal preference to manage their communication needs.
Ability to define personal profile (at home, office, travel, can be reached at, etc) and instruct the system to handle incoming calls for call routing, call screening and notification treatment
Supports Personal communication portal (PCP) for personal address book, calendar, messages storage via Web, WAP and Voice interfaces
Servicesused
Call Control
User Interaction
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
Edge Protection
• Deployed at the edge of your network as your first line of defense• Provides Multi and Blended threat security along with securing VOIP• Protects critical VOIP (H.323, SIP) resources from attacks
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
SIP Security and Value
Your Text hereYour Text hereYour Text hereYour Text here
Value
Flexibility
Innovation
Focused approach on key areas where SIP Security can bring value through:
Innovation By virtue of being a open protocol, it paves way for innovation
Flexibility of deployment choices, modularity and openness (ecosystem)
User AwareNetwork Security
Most flexible solution to allow user pre and post admission control
Mobile Users Security
Unique solution solving the mobile blind spot
Key Business Critical Application Security
Industry first to provide stateful policy enforcement across organization
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
The Alcatel-Lucent VPN Firewall - Made forGlobal Scalability
ExistingRouter
ExistingRouter
ExistingRouter
ExistingRouter
ExistingRouter
ExistingRouter
ExistingRouter
ExistingRouter
ExistingRouter
ExistingRouter
ExistingRouter
ExistingRouter
ExistingRouter
ExistingRouter
ExistingRouter
ExistingRouter
ExistingRouter
ExistingRouter
ExistingRouter
ExistingRouter
VLAN 100Extranet Server
VLAN 200SAP Server
VLAN 300Mail Server
VLAN 400Public Server
IP Network
Centralized Management With ALSMS
Managed Service Clients
Data CenterServices
Core B
Core AActive/ActiveManagement
ALSMS
ALSMS
VPN FirewallBrick® 1100
VPN FirewallBrick® 50-150
VPN FirewallBrick® 700
VPN FirewallBrick® 1200
ExistingRouter
ExistingRouter
ExistingRouter
VPN FirewallBrick® 1100
ExistingRouter
VPN FirewallBrick® 20
Customer ACustomer B Customer C
ALSCS
ALSCS
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
Technology• ALVF with SRM/PDG/RBR
• Evros
• CloudControl
• Vital ISA (SEM)
• Vital AAA/QIP/Endforce
• AWARE
• Identity Management
• Security Prof Services
• Managed Security Services
The Alcatel-Lucent Security Portfolio in the Enterprise
Network Cloud
Alternate Data Center
Mobile Workforce
Consultants
Global OfficesHeadquarters
Primary Data Center
SOC - 24X7
Manufacturing Center
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
www.alcatel-lucent.com
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
Security in Call Scenarios
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
Applications - Reach Me “AnyWare”
Jacques owns a Real Estate Agency and wants to be reachable for (important) clients any time, anywhere – independent of the network
he is connected to.
Jacques owns a Real Estate Agency and wants to be reachable for (important) clients any time, anywhere – independent of the network
he is connected to.
Jacques(Owner)
Home in Evry
Office in Sorbonne(1pm – 5pm)
Main Office in Concorde(8am – 12pm)
Jacques’ MobilePhone
Pierre - lessimportant client
Michelle -important client
He wants to use his convenient, high-quality wireline phones whenever he is in the office or at home
He uses his mobile phone when he is traveling
He wants to be reached at his current location, whether the caller dialed his office, home, or mobile number
He sometimes must change his regular schedule/preferences to serve important clients
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
Encryption
Symmetric
Encryption and decryption use the same key
Key must be secret (secret key)
Best known: DES, AES, IDEA, Blowfish, RC5
Symmetric Encryption used for
Payload encryption (ESP)
Packet authentication (AH & ESP)
Asymmetric Encryption used for
Initial peer authentication in IKE
Key exchange in IKE
Asymmetric
Also known as Public Key Encryption
Encryption and decryption keys are different
One key is public the other is private
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
Conventions
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
Symmetric Encryption
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
Asymmetric Encryption
Two complementary keys
Private key (kept secret – usually protected by passphrase)
Public key (published) – Problem: Authenticity
Basic Premises
Keys are not computable from each other
Encryption with one key can only be reversed with the other key
Best known examples
RSA & ECC, DSA for signatures
Used in
(Open)PGP (Pretty Good Privacy) for digital signatures and encryption
PKI (Public Key Infrastructure) – e.g. certificates for web servers & SMIME
RSA Rivest Shami Adleman, ECC – Eliptic Curve Cryptography, DSA – Digital Signature Algorithm
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
Asymmetric Encryption cont’d
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
Hash Functions
Hash Functions
Produce hash values for data access or security
Hash value: Number generated from a string of text
Hash is substantially smaller than the text itself and typically fixed length
Basic Premises:
Unlikely that other text produces the same hash value (collision resistance)
Unidirectional (cannot calculate text from hash)
Provides: Integrity & Authentication
Best known: SHA-1 & MD5
SHA – Secure Hash Algorithm, MD5 – Message Digest
•Example:
•$ echo The quick brown fox jumps over the lazy dog. | md5sum
•0d7006cd055e94cf614587e1d2ae0c8e *-
•$ echo The quick brown fox jumps over the lazy dog! | md5sum
•54828ad41cf232a5c374689e2f06d3af *-
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
Hash Functions cont’d
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
Hash Functions cont’d
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
Certificate creation
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
SSH-2 Protocol Stack & Connection establishment
SSH-2 comprises of multiple flexible hierarchical protocols.
TCP/IP
SSH Transport Layer Protocol (SSH-TRANS)
SSH Authentication Protocol (SSH-AUTH)
SSH Connection Protocol (SSH-CONN)
SSH File TransferProtocol (SSH-SFTP)
Connection Establishment
1. SSH-TRANS – Authenticates host and does the initial key negotiations
2. SSH-AUTH – Authenticates user via flexible methods - Optional
3. SSH-CONN – Channel based services layer for – multiple channels simultaneously
4. SSH-SFTP – For remote file operations – Specific applications
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
Summing UP1. Security is Ever Pervasive
2. SIP is no exception
3. SIP CIA Model
4. The ‘Always ON’ Model at Work
5. Call Flow Scenarios with built in SIP Security
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
www.alcatel-lucent.com