370 likes | 508 Views
Deploying IP Telephony in an Enterprise and the Vulnerabilities that Come With It. Brennen Reynolds Department of Electrical and Computer Engineering University of California, Davis Security Lab Seminar – 7/17/02. Agenda. Introduction to IP Telephony
E N D
Deploying IP Telephony in an Enterprise and the Vulnerabilities that Come With It Brennen Reynolds Department of Electrical and Computer Engineering University of California, Davis Security Lab Seminar – 7/17/02
Agenda • Introduction to IP Telephony • Challenges Faced with Deploying IP Telephony in Enterprises • Proposed Architecture Solutions • Security Issues Surrounding Converged Networks • An Architecture to Handle DoS Attacks
What is IP Telephony? • The use of the Internet Protocol to implement POTS telephony functionality over a data network • IP Telephony is NOT the same as VoIP • VoIP uses IP to transport voice traffic over ANY network
Implementing IP Telephony • Key Protocols: • Signaling - SIP or H.323 • Handles establishment, maintenance and teardown of sessions • Media Transport - RTP & RTCP • Transmits voice samples • Supporting Services - DNS, ENUM, TRIP, RSVP, STUN • Improve performance and ease of use
Typical Call Setup The Location Service is being queries to check that the destination IP address represents a valid registered device, and for its IP Address DNS Server DNS Query for the IP Address of the SIP Proxy of the Destination Domain Location Service The INVITE is forwarded 4 2 3 A request is sent (SIP INVITE) to ESTABLISH a session SIP Proxy 5 The request is forwarded to the End-Device SIP Proxy 1 SIP IP Phone 6 Media Transport SIP IP Phone Destination device returns its IP Address to the originating device and a media connection is opened
Why IP Telephony? • Advanced Services • video, email, instant messaging and web • Reduced Network Costs • Cheap computer equipment vs. expensive proprietary teleco equipment • Reduced bandwidth usage per call • G.711 (PSTN codec) uses 64 kbps per call • IP Telephony codecs can use anywhere from 32 kbps to 5.3 kbps per call
Challenges • Speech quality • Network Delay, Jitter, Packet Loss, Encoding Technique • Network requirements • Must match current carrier grade network uptime (99.999% or 5 min downtime per year) • Must be capable of handling huge volume of calls (in addition to other data applications) • Must allow for network modification
Challenges Cont. • Access Management & Traffic Prioritization • Voice and data traffic have different requirements • Users must always be able to make a high quality call • Large data transfers may need to be throttled back • Security • Both data and voice share same network resources • IP protocol has security problems associated with it • Call signaling is now in-band with call data • Added intelligence at network edge (phone) • Susceptibility to attacks
Problems Encountered • Major categories of problems • Network Capacity • Network Middleboxes • Firewall • Network Address Translation
Infrastructure Problems • How much load would be added by IP Telephony? • Can an enterprise network designed for standard data applications provide the necessary guarantees? • Should IP Telephony be run over a separate data network?
Firewall Problems • Must allow new ports to be open • Application doesn’t use well know ports • Ports are negotiated at runtime • Transmitted in application level header • Must allow UDP traffic to pass through firewall • Many enterprises don't want to allow this
NAT Problems • User Agents require routable end-to-end connections • Purpose of NAT is to use private (hidden addresses) • IP address is now included in multiple places in packet • Not just IP header • NAT devices only translate IP header information
Proposed Solutions • All Access • Traffic Redirection • Application Proxy • Protocol Tunneling
All Access • Removes all restrictions • Accomplished by removing NAT devices • Removal of all firewall rules • Provides no security at all
All telephony traffic that is destined for endpoints outside the enterprise are redirected over the PSTN Negates the reduced cost of deploying IP telephony because a large amount of PSTN voice trunks are still required Traffic Redirection
An proxy server is positioned in parallel with the firewall All IP telephony traffic is routed through the proxy instead of the firewall Each new application will require an individual proxy Additional interface to the enterprise network Application Proxy
All IP telephony traffic is sent through a tunnel running over a fixed port scheme Added overhead of encapsulation of each packet Provides avenue for malicious traffic to disguise itself as legitimate Protocol Tunneling
Firewall is aware of entire network stack and automatically open pinholes SIP proxy server protected in the DMZ Requires replacement of existing firewalls with dynamic, intelligent versions STEM Network Architecture
Solving Security Issues • With Strong Authentication • With Payload Encryption • With Enterprise Domain Authentication • With Network Architecture
Strong Authentication • Call Based Denial of Service • CANCEL messages, BYE message, Unavailable responses • Call Redirection • Re-registering with bogus terminal address, user moved to new address, must use additional proxy • User Impersonation
Payload Encryption • Capture and decoding of voice stream • Can be done in real-time very easily • Capture of DTMF information • Voice mail access code, credit card number, bank account • Call profiling based on information in message headers
Enterprise Domain Authentication • Unauthorized party connected to enterprise network making calls • Enterprise networks are easy to get access to • Wireless, conference rooms, waiting areas • A single user could easily saturate voice ports at M/S gateway if they wanted to
Network Architecture • Resource consumption DoS attacks • Network bandwidth, server resources, human time • Camouflaging hostile traffic • Malicious data flows
DoS Attacks in Converged Networks • Three points of attack • Network bandwidth between enterprise and external network • Server resources at control points • End user’s efficiency
Internet Originated Attack • Enterprise network connection can be flooded using techniques like SYN flooding • Resources on SIP proxy can be exhausted by a large flood of incoming calls • End user receives large number of SIP INVITE requests in a brief period of time
PSTN Originated Attack • Signaling link between M/S gateway and PSTN STP becomes saturated with messages • Voice ports on the M/S gateway are completely allocated • Large number of PSTN endpoints attempt to contact a single individual resulting in a high volume of INVITE messages
Network Framework For Detecting and Responding to DoS Attacks • Each resource consumption DoS attack has a unique signature • All the signatures have a similar behavior • An algorithm can be created to detect this behavior • Sensors can be implemented based on the algorithm • Appropriate responses can be activated to reduce the impact of the attack after detection
Information Sampling • IP telephony and the underlying protocol (TCP) both include some form of handshaking during the connection setup phase • Monitoring the volume of connection attempts vs. volume of complete connection handshakes can be used to detect an attack
Detection Algorithm • All connection setup attempts and complete handshakes are counted during the observation period • Upon expiration of the sampling period the difference is computed and normalized • Under normal operation, the resulting value should be very close to 0 • In the presence of an attack, the result is a large positive number
Types of Attack Sensors • To ensure the detection and protection of the three targets, two sensors must be built • Application Layer Attack Sensor • Network Layer Attack Sensor
Application Layer Attack Sensor • Monitors the number of SIP INVITE requests vs. SIP OK (call acceptance) responses • Each URI is monitored independently • Upon flood detection, proxy or M/S gateway return temporally busy messages
Network Layer Attack Sensor • Monitors the number of TCP SYN and ACK packets • Traffic is monitored at a high level aggregate • Upon attack detection, throttling is applied by perimeter devices (e.g. firewall) • If attack persists, traceback technologies can be used to drop malicious traffic at an upstream point
Future Work • Implementation of the sensors and collection of performance and detection results • Design of a module to detect malicious flows