1 / 26

Secure IP Telephony using Multi-layered Protection

Secure IP Telephony using Multi-layered Protection. Brennen Reynolds Off-Piste Consulting, LLC (formally of University of California, Davis) Dipak Ghosal University of California, Davis. Motivation. What is IP Telephony? Packetized voice over IP

lamis
Download Presentation

Secure IP Telephony using Multi-layered Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure IP Telephony using Multi-layered Protection Brennen Reynolds Off-Piste Consulting, LLC (formally of University of California, Davis) Dipak Ghosal University of California, Davis

  2. Motivation • What is IP Telephony? • Packetized voice over IP • PSTN access through Media/Signal Gateways (MSG) • Benefits: • Improved network utilization • Next generation services • Growth: • Revenues $1.7 billion in 2001, 6% of international traffic was over IP, growing [Frost 2002] [Telegeography 2002] • Standardized, deployed protocols (TRIP, SIP, H.323)

  3. Security Is Essential • IP Telephony inherits all properties of the IP protocol – including security weaknesses • Ensuring the security of a critical service must be a top priority • Convergence of two global and structurally different networks introduces new security weaknesses

  4. Agenda • IP Telephony Enabled Enterprise Networks • IP Telephony Call Setup • Vulnerability Analysis • Detection and Control of Flood-based DoS Attacks • Preliminary Experimental Results • Future Work

  5. IP Telephony Enabled Enterprise Network Architecture

  6. Net-to-Net Call Setup The Location Service is queried to check that the destination IP address represents a valid registered device, and for its IP Address DNS Query for the IP Address of the SIP Proxy of the Destination Domain The INVITE is forwarded 4 2 3 A request is sent (SIP INVITE) to ESTABLISH a session 5 The request is forwarded to the End-Device 1 6 Media Transport Destination device returns its IP Address to the originating device and a media connection is opened

  7. Vulnerability Analysis • Property oriented approach • Access control to use IP telephony service • Integrity and authenticity of IP telephony signaling messages • Resource availability and fairness in providing IP telephony service • Confidentiality and accountability

  8. Access Control • Deny unauthorized users access to IP telephony service • Central authentication servers • E.g.: RADIUS server • Enable various network elements to query authentication server

  9. Integrity and Authenticity of Signaling Messages • Call Based Denial of Service • CANCEL messages, BYE message, Unavailable responses • Call Redirection • Re-registering with bogus terminal address, user moved to new address, redirect to additional proxy • User Impersonation

  10. Payload Encryption • Capture and decoding of voice stream • Can be done in real-time very easily • Capture of DTMF information • Voice mail access code, credit card number, bank account • Call profiling based on information in message headers

  11. Resource Fairness and Availability • Flood based attacks • Network bandwidth between enterprise and external network • Server resources at control points • SIP Proxy Server • Voice ports in Media/Signaling Gateway • Signaling link between Media/Signaling Gateway and PSTN • End user

  12. Internet Originated Attack • Enterprise network connection can be flooded using techniques like SYN flooding • Resources on SIP proxy can be exhausted by a large flood of incoming calls • End user receives large number of SIP INVITE requests in a brief period of time

  13. PSTN Originated Attack • Signaling link between M/S gateway and PSTN STP becomes saturated with messages • Voice ports on the M/S gateway are completely allocated • Large number of PSTN endpoints attempt to contact a single individual resulting in a high volume of INVITE messages

  14. Secure IP Telephony Architecture

  15. Application Layer Attack Sensor (ALAS) • Monitors the number of SIP INVITE requests and the SIP OK (call acceptance) responses • URI level monitor • Aggregate level monitor • Detection Algorithm • Response Algorithm • Proxy or M/S gateway returns temporally busy messages

  16. Transport Layer Attack Sensor (TLAS) • Monitors the number of TCP SYN and ACK packets • Traffic is monitored at an aggregate level • Upon detection of an attack, throttling is applied by perimeter devices (e.g. firewall) • If attack persists, traceback technologies can be used to drop malicious traffic at an upstream point

  17. RTP Stream Attack Sensor (RSAS) • To detect malicious RTP and RTCP streams • Parameters of the RTP streams are known at connection setup time • Police individual streams • Statistical techniques to determine large flows • Packets corresponding to the malicious streams are dropped at the firewall • Need cooperation of upstream routers to mitigate link saturation

  18. Detection Algorithm for ALAS • Monitoring the volume of connection attempts vs. volume of complete connection handshakes can be used to detect an attack • Based on the sequential change point detection method proposed by Wang, Zhang and Shin (Infocom 2002) to detect TCP SYN attacks

  19. Detection Algorithm • All connection setup attempts and complete handshakes are counted during the observation period • During each sampling period the difference is computed and normalized

  20. Detection Algorithm Cont. • Under normal operation, the resulting value should be very close to 0 • In the presence of an attack, the result is a large positive number • A cumulative sum method is applied to detect short high volume attacks as well as longer low volume attacks

  21. Recovery Algorithm • Linear Recovery • This is the default behavior of the detection algorithm • Exponential Recovery • The cumulative sum decreases multiplicatively once the attack has ceased • Reset after Timeout • The cumulative sum decays linearly decays until a timer expires at which point it is reset to 0

  22. Preliminary Results • Types of attack • Limited DoS attack • Single user targeted by one or more attackers • Stealth DoS attack • Multiple users targeted by one or more attackers each with a low volume of call requests • Aggressive DoS attack • Multiple users targeted with high call requests • Ability to detect both aggregate level attacks as well as attack to individual URIs

  23. Preliminary Results Limited DoS Attack with 10 calls/min to a single URI

  24. Summary of Detection and Recovery Results

  25. Future Work • Detailed analysis • Tradeoff between detection time and false alarm rate • Formal vulnerability analysis • Additional vulnerabilities with ENUM • Routing layer issues • Vulnerabilities of multihomed networks

  26. Additional Information • Master’s Thesis Enabling Secure IP Telephony in Enterprise Networks http://www.off-pisteconsulting.com/research/pubs/reynolds-ms_thesis.pdf • Presentation Slides http://www.off-pisteconsulting.com/research/pubs/ndss03-slides.ppt • Contact Information: Brennen Reynolds Off-Piste Consulting, LLC brennen@off-pisteconsulting.com Dipak Ghosal, PhD. University of California, Davis ghosal@cs.ucdavis.edu

More Related