200 likes | 376 Views
IMS Security and Protection. Micaela Giuhat VP Product Management Sipera Systems email: micaela@sipera.com. Outline. Open system security VoIP security requirements Industry approach and strategies IMS security requirements IMS vulnerabilities Attack examples Solution Summary. Bad Guys.
E N D
IMS Security and Protection Micaela GiuhatVP Product Management Sipera Systemsemail: micaela@sipera.com
Outline • Open system security • VoIP security requirements • Industry approach and strategies • IMS security requirements • IMS vulnerabilities • Attack examples • Solution • Summary
Bad Guys Open Systems can be attacked Traditional voice network is closed system VS Internet which is open Internal Web Servers E-mail Servers External Web Servers Core Network • Denial of Service Attacks • Viruses • SPYware • Blended Attacks • E-mail SPAM Internet
The Internet Security Industry • Applications Protected • Web Apps • E-mail • Database Internal Web Servers E-mail Servers Network Security Logs Correlation SPAM Filter IPS External Web Servers IDS Firewall Core Network But… Problems still persist Internet
Enter VoIP • VoIP is different … • Real time • Peer-to-peer • Protocol rich • Complex state machine (several dozen states) Internal Web Servers E-mail Servers Network Security Logs Correlation SPAM Filter IPS External Web Servers IDS Firewall Core Network Communication Servers • Feature rich (several hundred services) • Separate signaling & media planes • Low tolerance to false positives & negatives Internet
Current Industry Approach Approach is unworkable: 1. Not real time 2. Cannot handle encrypted traffic 3. Can’t keep up with new feature addition Internal Web Servers E-mail Servers Network Security Logs Correlation SPAM Filter IPS External Web Servers IDS Firewall Core Network Communication Servers Current Industry thinking is to add VoIP sensibilities to all the existing security boxes; Although nothing is actually available yet … Internet
Current Strategies Security Agent May block Good calls • Hard to manage • Will not meet performance specifications • Does not address multi vendor • Cannot keep up with new features • Not available yet Protect against Windows OS vulnerabilities Opens pinholes ALG is vulnerable FW/ALG Event Correlation Remediation VoIP Traffic analysis Signature/Anomaly Filtering IDS/IPS Limited signatures Core switch Scrub IP DoS/DDoS Traffic PSTN GW Guard Cannot stop Spoofed Caller IDs Certs Authentication Encryption
IP Communications Security (IPCS) Solution Desired Approach Integrated, real time VoIP security solution that comprehensively tackles all VoIP vulnerabilities, both Enterprise & Carrier Internal Web Servers E-mail Servers Network Security Logs Correlation SPAM Filter IPS External Web Servers IDS Firewall Core Network Communication Servers Internet
Store Analyze Forward in near-real time Email Delivery Mode: E-mail may not be extracted Immediately; can be deleted fairly easily; low annoyance level Email Server Low volume Email attack False negative Security Device Security Device Low volume Voice attack Call Server False negative Call delivered in real time; phone rings constantly; high annoyance level Analyze Forward in real time Call Delivery Mode: Tolerance for False Negatives: Email Vs Voice
Anti-SPAM e-mail VoIP Network Level Correlation VoIP OS IP Web database Comprehensive Integrated Security Solution for Communications Applications (VoIP, IM, Video, Multi-Media) Intrusion Detection System OS IP Web VoIP Denial of Service Prevention IP Web database VoIP Intrusion Prevention System OS IP Web e-mail VoIP Firewall VoIP OS IP Web Typical Solution vs. Desired Solution
Comprehensive IMS Security System • A Comprehensive IMS Security System must: • Prevent unauthorized usage • Protect end-user privacy • Protect IMS infrastructure from attacks • Protect end-users from attacks • Handle voice SPAM
IMS SPAM Filter (User control, Behavioral learning (call patterns, trust scores), Machine Call detection, etc. IMS Network Level Security Management (Event correlation, Network Threat Protection ) Not addressed IMS Intrusion Prevention (Call Stateful Deep packet inspection (IMS decode), Behavioral learning (finger printing), Protocol fuzzing prevention, media filtering, etc.) IMS Aware Firewall (Policy based filters: URL/IMSI/MSISDN/AP/IP white/black lists, etc) Vulnerabilities Attacks on Infrastructure Attacks on End-users Unauthorized use Privacy IMS SPAM Well Defined by 3GPP, Addressed by Core IMS infrastructure: SIM, HSS, AAA, PDG Encryption (IPSec, TLS) Authentication (SIM) Protection Techniques Security Aspects addressed in IMS
Security Aspects addressed in IMS User & Traffic Behavioral Learning Call State & Service aware IMS/SIP/H.248/RTP/MPEG aware Not addressed Peer - Peer Real time IP Traffic E-mail Web Database VoIP IMS IP TV TCP/UDP/ICMP/FTP/HTTP/SQL aware Existing Internet Security Solutions Client - Server Non-Real time Characteristics
IMS reference architecture Rf Rf /Ro /Ro Charging Charging Sh Sh HSS HSS Functions Functions AS AS Dh Dh ISC ISC Cx Cx Cx Cx Dx Dx SLF SLF Mw Mw I I - - CSCF CSCF S S - - CSCF CSCF Mw Mw Mi Mi Mi Mi SIP BGCF BGCF Mw Mw H.248 Mr Mr Mj Mj DIAMETER Mg Mg P P - - CSCF CSCF MGCF MGCF MRFC MRFC Gq PDF Mp Mp Mn Mn PSTN MRFP MRFP MGW MRFP GGSN UE UE IP Transport (Access and Core) IP Transport (Access and Core)
Well known in the data world New, unique & real time sensitive Application level vulnerabilities IMS Vulnerabilities HSS Apps Chrg • IMS & SIP enable a rich feature set of Converged Services ….. but also open up the network to IP based vulnerabilities Call Server SIP Server MGCF MRFC BGCF SGF P/S/I CSCF SLF/PDF/IBCF/IWF IMS core MGW MRFP T-MGF ABGF IBGF IP-IP GW Media Gateway • IMS & SIP vulnerabilities include: • OS level vulnerabilities • IP Layer 3 vulnerabilities • IMS Framework related vulnerabilities • SIP/RTP/H.248/etc. protocol vulnerabilities • VoIP/Video/PoC/etc. Application vulnerabilities • VoIP SPAM
IMS Architecture Vulnerabilities: Some Examples • Compromised mobile phones • Zombie hard/soft phones • Modified phone with malicious intent • Malicious/Malformed/Spoofed signaling attacks • Malicious/Malformed/Spoofed media attacks • Spoofed IMS Emergency session attacks • Presence update attacks • Initiating Conferencing to block the network resources • UE having direct access to the IMS core network • Charging fraud - Signaling directly to S-CSCF to avoid charging • Misconfigured/partially configured UEs and/or Network elements • Non-GPRS access such as WLAN or BB can be attacked directly from the internet without a subscription • SPAM
IMS Application Level Attacks Human attackers Spammer Spoofed Packets • Attack Types: • Flood Denial of Service • Signaling • Media • Distributed DoS • Stealth DoS • Target individual or group of users • Blended attacks • Recruit zombies and use them to launch an attack • SPAM • SPAM over Internet Telephony (SPIT) HSS Apps Chrg Zombie attackers SIP Server Call Server MGCF MRFC BGCF SGF P/S/I CSCF SLF/PDF/IBCF/IWF MMD core MGW MRFP T-MGF ABGF IBGF IP-IP GW Media Gateway Both Network & Subscribers can be attacked
IMS Vulnerability Protection System Reference Architecture Human attackers HSS Apps Chrg IMS Vulnerability Protection System Call Server SIP Server MGCF MRFC BGCF SGF P/S/I CSCF SLF/PDF/IBCF/IWF Spammer IMS core Zombie attackers MGW MRFP T-MGF ABGF IBGF IP-IP GW Media Gateway IMS Vulnerability Protection System is distinct from the IMS core infrastructure
Attack Summary • An IMS network built to 3GPP or TISPAN specifications compliance has numerous vulnerabilities • An attack on the network could cause network-wide outages including bringing down HSSs, App Servers, SIP servers, Call Servers, Media Gateways and IP-IP Gateways • Attacks towards specific targeted individual users could cause them extreme annoyance and disrupt their service in insidious ways • Sipera Systems research team has identified over 90 distinct categories of attacks • These attacks require hackers with varying levels of sophistication, but many attacks are possible even by so called “script kiddies”