Service Provider Perspective on VoIP Security

04/13/23 1© Copyright 2006, Verizon. All rights reserved.

Service Provider Perspective on Voice over IP (VoIP) Security

Stu Jacobs, CISSP, CISM

ISSA Member

Sr. Technologist - PMTS

Verizon Laboratories

This material is part of ongoing efforts of Verizon and Verizon management to engage in thoughtful considerations of the fundamental changes and challenges facing the telecommunications industry. To meet its fiduciary responsibilities, management must explore all alternatives, even those that may appear highly

speculative and hypothetical. Statements and representations contained herein are preliminary and/or tentative and should not be relied on unless approved by the appropriate Verizon governing body.


Agenda

• Why security is needed

• Security Model, Services and Mechanisms

• Requirements and solutions

• VoIP Service Infrastructure


What is Security Responsible for

• Protecting customers (3rd person liability).• Ensure confidentiality-integrity of customer information

• Maintain customer contracted service availability.

• Enforce customer access to only authorized features.

• Ensure error-free and non-malicious interaction between customers and the system.

• Protecting the system itself (1st person liability).• Maintain the confidentiality and integrity of system information.

• Enforce operations access to those system attributes authorized

• Providing error-free and non-malicious interaction between operations and the system.


The Past

• Closed circuit-based networks

• Physical security of central offices

• Password access to network elements

• Out-of-band signaling to reduce fraud


The Evolving Threat

• Internal

– Malicious insiders are the greatest threat to our critical national infrastructures.

• External

– Today's geo-political climate will result in cyber attacks against national communications and control systems of economic, safety, or political significance.

• Politically (ideologically) motivated cyber attacks are increasing in volume, sophistication, and coordination.


The Present

• The circuit network is a slow controlled process.

• IP-based networks will be very different.

• Denial of Service attacks are increasing.

• Speedy updates are essential now.

• Wireless access is growing.

• New services are coming.


Historic vs. IP Networks

• Historic– Network self-contained

(limited external connectivity)

– Limited knowledge base of network systems

– Protocols not well known

– Limited common group of interconnectors

– Dumb Subscriber terminals

• IP– Connectivity to many networks

(enterprise, residential, WiFi, Internet, ISPs)

– Switches, routers, DNS servers, etc., common to other TCP/IP networks

– TCP/IP, UDP, SIP RTP and H.323 are publicly available

– Unknown, but high number of connectors

– SIP phones and soft-clients are computer based intelligent processors: Microsoft Windows deploys SIP on every XP PC


State of the Internet

• Today 18% of the Internet bandwidth is attack traffic • There are now in excess of 30,000 bots in one network waiting to

attack systems (Nigel Beighton, Symantec)• SPIT (spam over Internet telephony) - unsolicited bulk messages

broadcast over VoIP quickly catching on• Legislation is increasing in the security area

– In 1998 600 laws, today 1400 and growing, State privacy laws are changing too

• Speedy updates are essential now• 99% of all successful compromises targeted known vulnerabilities• In 2004, 10 days from known vulnerability to automated exploit.

Two years ago it was 180 days.• MIT study showed that an un-patched NT system was compromised

in 55 seconds

• Computer viruses and hacking took a $1.6 trillion toll on the worldwide economy - $266 Billion in the US

• Companies lose 2.1% of their market value within 2 days after a security breach


The Future

• Vulnerabilities in one carrier could ripple over to multiple interconnected carriers.

• Convergence will require significant retraining.• New protocol servers, proxies and media gateways

will have to be managed. • New OSS need to be built.• New services will stress the infrastructure.• Voice, data and video will converge.


Security Must Scale

• An international footprint; 1000s of COs, 100s of other buildings

• 100,000s of personnel

• 100,000s of employee desktop systems

• 1,000,000s of software controlled NEs

• 10,000,000s of customer CPE

• 100s of Peer carrier networks


Security Model

The major rules to follow:1. Trust can NOT be assumed; communication amongst systems

and interaction between people & systems must be explicitly authenticated and authorized

2. Security must be layered, i.e. defenses in depth3. Perimeter hardening, like physical measures, is just a first step4. All network elements must be hardened as "defensive strong

points" in their own right5. Deploy multiple security technologies to counter the plethora

of attack types in use today (growing over time)6. Security integrated into systems, not bolted on later7. Security MUST be manageable, the S in FCAPS must be more

that just log file evaluation.


Security Services

• Authentication• Authorization (a.k.a. Access Control)• Confidentiality • Integrity• Non-Repudiation

VoIP relies on many of the same security mechanisms as any other IP-based infrastructure


Necessary Security Mechanisms

• Firewalls/Routers• Session Border Controls • Anti Virus • Intrusion Detection Systems • Intrusion Prevention Systems (Appl. Layer FW)• Authentication/Credential Servers • Vulnerability Discovery• Authenticated Signaling and Control


Security Operations

• Asset Discovery Classification

• Change Management

• Configuration Management

• Corrective Action

• Fault Management

• Provisioning

• Security Control Integration

• Security Control Upgrade

• Security Event Management

• Template Management

• Ticketing System

• Verification and Validation• Vulnerability Detection

(reactive)

• Vulnerability Discovery (proactive)


Security Management • Security Fault Management

– Event collection (IDS, traps, etc.), reconciliation/consolidation, Alarm generation, attack identification, attack mitigation

• Security Configuration Management– Packet filtering rules, cryptographic policies and parameters, security

patches, access control rules, login accounts, etc.

• User Account Management– Login authorization for administrative & craft (could be expanded to cover:

peer-carrier, law enforcement, vendor, customer)

• Security Authentication Credentials Management– passwords, SecureID (tokens), Radius, symmetric/asymmetric cryptographic

key material

• Validation Management– Auditing, Vulnerability Analyses, Intrusion Detection

• Corrective Action Management– Trouble ticketing

• Security Management Information Base Repository– Central repository of all network elements security attributes

(ANSI standard letter ballot coming in 1H-2006)


VoIP Security


VoIP Attacks

• Over 4,527 SIP invite attacks discovered in the Protos test suite for SIP INVITE messages

• SIP phone configuration eavesdropping of unsecured downloads

• Compromised Domain Name Servers resolving routes to hijacked proxy server

• SIP phone registration hijacking and identity theft/impersonation

• SIP proxy impersonation allowing interception, eavesdropping and fraudulent routing of calls.

• SIP message tampering and RTP stream injection (Spam over Internet Telephony…SPIT)


Service Network Functional Model

IP Network

Transport

Layers 1 - 4

Std POTSPhone

SSP

BC

TDM Cl 4/5

Fabric

LineTerm

SSP

BC

TDM Cl 4/5

Fabric

LineTerm

T-MGGWC

ConvTerm

L-MGGWC

ConvTerm

OLTBridg ing

IP Service Edge FG

DNS ENUM

NTP

IP Network Infrastructure FG

SIPProcessing

323IW

SIPRegistrar

BPC

SIP SessionProcessing

LS

Session Control FG

SIPTLS / IPSEC

BC

PC P

G W C (m )

SIPProcessing

B PC

MGC FG

VODSession

Network Policy FG

R outingP olicy

Data Resources FG

PIM

Events

IM

PAM

Email

Web

Conference

Media Resources FG

IPe

Media

VOD

Subscriber Policy FG

User AAServicePolicy

User / Service Management FG

ContextMgmt

SubscriberMgmt

ServiceMgmt

Apps & Svcs

Integrated Services FG

Line SvcsVOD Svc

SIPEnd-

points(e.g.

Phone,IAD)

VideoEnd-

points(e.g.STB)

ParlayJAINSIP

T D MS/B

Signaling & Control

Applications & Services

Operations

End-User Domain Access Verizon Domain Partner Carrier Domain

T C A P

R T P

R T P

R T P

IP Service Edge FG

R T P

H.248none / IPSEC

FCAPS FG

Fault Mgmt

Accounting

Config Mgmt

Security Mgmt

Session Control FG

SIPProcessing

SIPTLS / IPSEC

e.g. Midcom

e.g. Midcom

T D MB earer

S IP

S IM P LE

S M T P /P O P 3

H T T P (s )

R P C

R A D IU S

S IP /M S C M L

SIPTLS / IPSEC

SIPDigest / TLS

UNI NNI

HTTP(s)SSLv3

SMTP,POP3,IMAP4

SIMPLE , XMPP

H T T P (s )/S O A P ,LD A P

R T P R T P

DHCP

R A D IU S

SIPDigest / TLS

P O T S

RTP

Application

T D MS/B

Msg SvcsConf Svcs

Game Svcs

Audio Svcs

D S M -C CR T S P

ParlayJAIN

S IP S IP

S IP /M S C M L

H T T P (s )/S O A PS S Lv3

Web Browser

IM

Email/Vmail

iobi

SIP Client

SIMPLE , XMPP

SIPDigest / TLS

SBC-SP

R T P

Web Svcs

SIPTLS / IPSEC

Fwd

SBC

IS U P

SNMPv1,2,3none / IPSEC

IPG

IPG Svc

M P E G 2/U D P

Bcast Auth

B cas tA uthorization

IPGIP

IPGIP

M P E G 2/U D P

Secured Signaling (Data) Interface

IP Bearer InterfaceSignaling (Data) Interface

TDM Bearer Interface

D S M -C CR T S P

D S M -C CR T S P

H.323End-

points(e.g.PBX)

H.323none / IPSEC

R T P

D S M -C C /U D PR T S P /T C P

S IP /M S C M L

P O T S

SIPnone / IPSEC

FirewallNATPolicing

Control

Forwarding

Service/Network ArchitectureFunctional Model

Version:Date:Service:

4.025 March 2005

ONT

Base View

IP

Speech

H T T P (s )/S O A P ,LD A P

Calendar

iC al

IP

SCPAIN FG

Voice Svcs

IP GW

SIPProcessing

GDI

SIPProcessing

SIP

TCP/XML

Trunk Svcs

G R 1129

S IM P LE

iobi Svcs

HTTP(s)SSLv3

C ertif ica tes

E lem entAA

ANI

IP

Reference Points:

- UNI Signaling Interface

- <not used>

- ANI (target) (e.g. IMS ISC interface)

- UNI Bearer Interface

- NNI Bearer Interface

- NNI Signaling Interface

- UNI Signaling Interface

- UNI Bearer Interface

1

2

3

4

5

6

7

8

1

3

4

5

6

7

8

Service Provider Domain

App Client

App


New Protocols & Functionality

• Signaling– SIP, H.248, MGCP, Skinny, ISUP, TCAP

• Bearer Traffic– RTP/SRTP, SCTP

• Infrastructure– Profiles, Credentials, Time, Directories

• Services– Basic, Conferencing, Unified Messaging, Presence,

Location, Brokering, etc.


Where Do Standards Fit In?

• Approved Standards– ANSI T1.276, T1.678

– ITU-T X.800, X.81x, M.3016

– ANSI/TIA J-STD-025a (-b)

• Work in Progress– ATIS PTSC Signaling & Control, TMOC SMS

– ITU-T NGN

– ETSI TISPAN

– IETF, MSF, OIF, VOIPSA, others


Conclusion

• Vendors need to take security seriously as they architect and design next generation components.

• The goal is reliable and trustworthy communications and operations.

• Learning from the past and present will ensure that future networks will be built with the appropriate security mechanisms and policies/procedures.


Questions?


Thank you

Stuart Jacobs CISSP, CISMPMTS - Sr. Technologist

Network SecurityVerizon Laboratories

40 Sylvan RoadWaltham, MA 02451-1128 USA

telephone: (781) 466-3076 fax: (781) [email protected]

Service Provider Perspective on VoIP Security

Documents

Transcript of Service Provider Perspective on VoIP Security