VoIP security– myths & realities

Ishai RosmarinSales Director – EMEAIRosmarin@acmepacket.com

in IPwe don’ttrustanyone!

VoIP security in the news

VoIP Security Alert: Hackers Start

Attacking For Cash (June 2006)

Two Men Charged With Hacking Into

VoIP Networks (June 2006)

The Internet's a Scary Place for Voice(May 2006)

Is Your VoIP Phone Vulnerable?

(June 2006)

Are Hackers Eyeing your VoIP Network?

(Sept. 2006)

VoIP Security: It's More Than Data Security(Aug. 2006)

4

Security Concerns

• Everyone worries

about security

• DoS attacks and

overloads are biggest

worry

Source: Service Provider Plans for Next Gen Voice 2006 (July 2006)

29%

75%

75%

63%

79%

54%

42%

33%

0% 20% 40% 60% 80%

Trade performancefor security

SPIT

Illegal wiretapping

Service topology exposure

Service fraud

User privacy and confidentiality

User/device authenticationand authorization

DoS attacks and overloads ofnext gen voice service

infrastructure

Percent of Next Gen Voice

Respondents Rating 6 or 7

VoIP security threats & solutions

IMS: Is Missing Security

DoS/DDoS

attacks

Traffic

overloads

Viruses &

malware

Service

fraud

Identity

theft

Eves -

dropping

SPIT

Security feature requirement IMS function/feature

Access control - static IP address list Core IMS functions, not applicable for UE

Access control - dynamic IP address list Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII x

Topology hiding (NAPT at L3 & L5) I-BCF only, THIG sub-function IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII

Authentication - subscriber & CSCF IPSec, SIP digest IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII

Authorization - subscriber HSS function IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII

Signaling encryption IPSec IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII

Media encryption Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII

Admission control - I/S-CSCF constraints Not addressed

Admission control - network bandwidth constraints PDF/RACS functionAdmission control - user limits: sessions (#) Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII

Admission control - user limits: bandwidth Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII

SIP message & MIME attachment filtering/inspection Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII

Signaling rate monitoring & policing Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII

Bandwidth monitoring & policing Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII

Call gapping - destination number Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII

Call gappping - source/destination CSCF or UE Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII

QoS marking/mapping control Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII

Internet

Types_ Malicious attacks_ Non-malicious – poor behaving

endpoints, power outages

Solution requirements

_ SBC DoS self-protection• Access control - static & dynamic• Trusted & untrusted paths with policed

queues• IDS capabilities

_ Service infrastructure DoS prevention• Access control - static & dynamic• Topology hiding• Signaling rate plicing• Bandwidth policing

DoS/DDoS attacks threatensubscriber retention and revenue

PSTNTransit& O&T

HIP ICServices

O&T

HIP ICServices

1

2

4

3

Viruses & malware can threaten ICendpoints and service infrastructure

SIP MIME attachments are powerful tool for richer call ID- vcard text, picture or video

Potential Trojan horse for viruses and worms to general-purpose server-based voice platforms_ SIP softswitch, IMS CSCF, SIP servers, app servers_ SIP PBX_ SIP phones & PCs

New endpoint vulnerabilities_ Embedded web servers - IP phones_ Java apps – liability or asset?

Solution requirements_ Authentication_ SIP message & MIME attachment filtering_ Secure OS environment

SQL

Slammer

Melissa

Code Red

Nimda

Sobig

Love

Bug

Klez

Michelangelo

Internet

Service fraud riskis business model dependant

Business model dimensions_ Internet vs. managed network_ Free vs. fee based_ Anonymous vs. not anonymous

Types of fraud_ Service theft_ QoS theft_ Bandwidth theft

Solution requirements_ Access control_ Authentication – subscriber

& SIP signaling elements_ Authorization – subscriber_ Admission control – subscriber

limits - # sessions & bandwidth_ QoS marking/mapping control_ Bandwidth policing

PSTNMPLS

NONE

NONE

DiffServ-31

2

4

3

A B

Identity theft can’t beprevented entirely by technology

How do you know you are talking to Bank of America?

Web site techniques don’t work for IC- work for many-one, not many-many

Solution requirements– Authentication, access control– Trust chains - pre-established technical & business relationships

Eavesdropping threat is over hyped

Less risk than email, who encrypts email?_ Email is information rich (attachments), voice not_ Email always stored on servers, only voice mail_ Email always stored on endpoints, voice not

Who is at risk?_ Bad guys - Osama, drug cartels,

pedophiles, etc._ Law enforcement_ Money, love, & health-related

– insider trading, adultery, ID theft,

Solution requirements_ Authentication – subscriber_ End-to-end encryption (EXPENSIVE)

• Signaling (TLS, IPSec)• Media (SRTP, IPSec)

SPIT will be annoying,& possible tool for ID theft

Will anonymous, cheap Yahoo subscriber (aka SPITTER)be able to call money-paying Verizon subscriber to solicit- phone sex, penis enlargement, Viagra pill purchase?

Techniques that won’t work_ Access control – static_ Content filtering_ Charging - $/call_ Regulation

Solution requirements_ Access control

– dynamic, IDS-like_ Authentication_ Admission control

– subscriber limits (#)_ Trust chains - pre-established

technical & business relationships

Who is responsible for security?

The individual The organization

The future IC net?

The Internet

I

The Federnet

FF

F

F F

Net-Net

Security issues are very complex and multi-dimensional

Security investments are business insurance decisions_ Life – DoS attack protection_ Health – SLA assurance_ Property – service theft protection_ Liability – SPIT & virus protection

Degrees of risk_ Internet-connected ITSP ` High_ Facilities-based HIP residential services_ Facilities-based HIP business services

_ Peering Low

_ NEVER forget disgruntled Malcom, OfficeSpace

Session border controllers enable service providersto insure their success

Monitor, report & recordattacks & attackers;provide audit trails

Net-SAFE – security requirementsframework for session border control

Protect against SBC DoS attacks & overloads(malicious & non-malicious)

Session-awareaccess control

for signaling& media

Prevent DoSattacks on serviceinfrastructure &subscribers

Completeservice

infrastructurehiding & user

privacy support

Support for L2 and L3 VPNservices and security

Prevent misuse & fraud;protect againstservice theft

Acme Packet Net-Net SD “flawlessly passedall of CT Labs’ grueling attack tests”

Total of 34 different test cases, using over 4600 test scripts

No failed or dropped calls, even for new callsmade during attacks

No lost RTP packets during attacks

Protected the service provider equipment – did notallow flood attacks into core, stopped packets at edge

SD performance not impacted during attack

– SD CPU utilization - only10% increase

– Signaling latency - only2 ms average increase

– RTP jitter – lessthan 1 ms increase(not measurable bytest equipment)

Acme Packet SBCDoS/DDoS protection

Network processor (NPU) -based protection– L3/4 (TCP, SYN, ICMP, etc.) & signaling attack detection & prevention -– Dynamic & static ACLs (permit & deny) to SPU– Trusted & untrusted paths to SPU w/configurable bandwidth allocation &

bandwidth policing per session– Trusted devices - guaranteed signaling rates & access fairness– Untrusted devices – can access unused

trusted bandwidth– Separate queues for ICMP, ARP, telnet, etc.– Reverse Path Forwarding (uRPF)

detection - signaling & media– Overload prevention - 10 Gbps

NPUs > 8 Gbps network interfaces

Signaling processor (SPU)-based protection– Overload protection threshold

(% SPU) w/graceful call rejection– Per-device dynamic trust-binding

promotes/demotes devicesNetwork

processor

Intelligenttraffic

manager

Networkprocessor

Signalingprocessor

Securityprocessor

The leaderin session border control

for trusted, first classinteractive communications