secure ip telephony using multi-layered protection
DESCRIPTION
Secure IP Telephony using Multi-layered Protection. Brennen Reynolds Off-Piste Consulting, LLC (formally of University of California, Davis) Dipak Ghosal University of California, Davis. Motivation. What is IP Telephony? Packetized voice over IP - PowerPoint PPT PresentationTRANSCRIPT
Secure IP Telephony using Multi-layered Protection
Brennen ReynoldsOff-Piste Consulting, LLC
(formally of University of California, Davis)
Dipak GhosalUniversity of California, Davis
Motivation What is IP Telephony?
Packetized voice over IP PSTN access through Media/Signal Gateways (MSG)
Benefits: Improved network utilization Next generation services
Growth: Revenues $1.7 billion in 2001, 6% of international
traffic was over IP, growing [Frost 2002] [Telegeography 2002]
Standardized, deployed protocols (TRIP, SIP, H.323)
Security Is Essential IP Telephony inherits all properties of
the IP protocol – including security weaknesses Ensuring the security of a critical
service must be a top priority Convergence of two global and
structurally different networks introduces new security weaknesses
Agenda IP Telephony Enabled Enterprise
Networks IP Telephony Call Setup Vulnerability Analysis Detection and Control of Flood-based
DoS Attacks Preliminary Experimental Results Future Work
IP Telephony Enabled Enterprise Network Architecture
Enterprise DMZ
SIPRedirectProxy
SIPRegistrar /LocationServer
WebServer
DNSServer
EdgeRouter
ExternalFirewall
InternalFirewall
Softphone IP Phone
EnterpriseLAN
AuthenticationServer
PSTN
Media /Signal
Gateway
Internet
Net-to-Net Call Setup
Media Transport
1
2
3
4
5
6
A request is sent (SIP INVITE) to
ESTABLISH a session
DNS Query for the IP Address
of the SIP Proxy of the
Destination Domain
The INVITE is forwarded
The Location Service is queried to check that the
destination IP address represents a valid
registered device, and for its IP Address
The request is forwarded to the End-Device
Destination device returns its IP Address to the
originating device and a media connection is
opened
DNSServer
SIP IP Phone
SIP IP Phone
SIP Registrar /Location Server
SIP RedirectProxy
SIP RedirectProxy
Vulnerability Analysis Property oriented approach
Access control to use IP telephony service
Integrity and authenticity of IP telephony signaling messages
Resource availability and fairness in providing IP telephony service
Confidentiality and accountability
Access Control Deny unauthorized users access to IP
telephony service Central authentication servers
E.g.: RADIUS server Enable various network elements to
query authentication server
Integrity and Authenticity of Signaling Messages Call Based Denial of Service
CANCEL messages, BYE message, Unavailable responses
Call Redirection Re-registering with bogus terminal
address, user moved to new address, redirect to additional proxy
User Impersonation
Payload Encryption Capture and decoding of voice stream
Can be done in real-time very easily Capture of DTMF information
Voice mail access code, credit card number, bank account
Call profiling based on information in message headers
Resource Fairness and Availability Flood based attacks
Network bandwidth between enterprise and external network
Server resources at control points SIP Proxy Server
Voice ports in Media/Signaling Gateway Signaling link between Media/Signaling
Gateway and PSTN End user
Internet Originated Attack Enterprise network connection can be
flooded using techniques like SYN flooding
Resources on SIP proxy can be exhausted by a large flood of incoming calls
End user receives large number of SIP INVITE requests in a brief period of time
PSTN Originated Attack Signaling link between M/S gateway and
PSTN STP becomes saturated with messages
Voice ports on the M/S gateway are completely allocated
Large number of PSTN endpoints attempt to contact a single individual resulting in a high volume of INVITE messages
Secure IP Telephony Architecture
PSTN
Internet
Enterprise DMZ
TransportLayerAttackSensor
SIPRedirect
Proxy
SIPRegistrar /LocationServer
WebServer
DNSServer
EdgeRouter
ExternalFirewall
InternalFirewall
ApplicationLayerAttackSensor
Media /Signal
Gateway
ApplicationLayerAttackSensor
Softphone IP Phone
EnterpriseLAN
AuthenticationServer
Application Layer Attack Sensor (ALAS) Monitors the number of SIP INVITE
requests and the SIP OK (call acceptance) responses URI level monitor Aggregate level monitor
Detection Algorithm Response Algorithm
Proxy or M/S gateway returns temporally busy messages
Transport Layer Attack Sensor (TLAS) Monitors the number of TCP SYN and ACK
packets Traffic is monitored at an aggregate level Upon detection of an attack, throttling is
applied by perimeter devices (e.g. firewall) If attack persists, traceback technologies can
be used to drop malicious traffic at an upstream point
RTP Stream Attack Sensor (RSAS) To detect malicious RTP and RTCP streams Parameters of the RTP streams are known
at connection setup time Police individual streams Statistical techniques to determine large flows
Packets corresponding to the malicious streams are dropped at the firewall
Need cooperation of upstream routers to mitigate link saturation
Detection Algorithm for ALAS Monitoring the volume of connection
attempts vs. volume of complete connection handshakes can be used to detect an attack
Based on the sequential change point detection method proposed by Wang, Zhang and Shin (Infocom 2002) to detect TCP SYN attacks
Detection Algorithm All connection setup attempts and
complete handshakes are counted during the observation period
During each sampling period the difference is computed and normalized
)(
)()()( _
nC
nHSnEAnX )()1()1()(
__
nHSnCnC
Detection Algorithm Cont. Under normal operation, the resulting
value should be very close to 0 In the presence of an attack, the result
is a large positive number A cumulative sum method is applied to
detect short high volume attacks as well as longer low volume attacks
Recovery Algorithm Linear Recovery
This is the default behavior of the detection algorithm
Exponential Recovery The cumulative sum decreases multiplicatively
once the attack has ceased Reset after Timeout
The cumulative sum decays linearly decays until a timer expires at which point it is reset to 0
Preliminary Results Types of attack
Limited DoS attack Single user targeted by one or more attackers
Stealth DoS attack Multiple users targeted by one or more attackers
each with a low volume of call requests Aggressive DoS attack
Multiple users targeted with high call requests Ability to detect both aggregate level
attacks as well as attack to individual URIs
Preliminary Results
0
5
10
15
20
25
30
35
40
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29Time (minutes)
Cal
cula
ted
Valu
e of
Yn
Exponential Recovery
Linear Recovery
Threshold
Limited DoS Attack with 10 calls/min to a single URI
Summary of Detection and Recovery ResultsDetection Time Recovery Time
Attack Type Detection Time
Recovery Algorithm
Recovery Time
4 calls/min – Limited DoS
4 min (URI level) 4 calls/min – Linear
3 min
10 calls/min – Limited DoS
2 min (URI level) 10 calls/min – Linear
17 min
50 URI Aggressive DoS
6 min (URI level)8 min (agg. level)
10 calls/min – Exponential
6 min
200 URI Stealth DoS
4 min (agg. level)
10 calls/min – R.a.T.
3 min
Future Work Detailed analysis
Tradeoff between detection time and false alarm rate
Formal vulnerability analysis Additional vulnerabilities with ENUM
Routing layer issues Vulnerabilities of multihomed
networks
Additional Information Master’s Thesis
Enabling Secure IP Telephony in Enterprise Networkshttp://www.off-pisteconsulting.com/research/pubs/reynolds-ms_thesis.pdf
Presentation Slideshttp://www.off-pisteconsulting.com/research/pubs/ndss03-slides.ppt
Contact Information: Brennen Reynolds Off-Piste Consulting, LLC [email protected] Dipak Ghosal, PhD. University of California, Davis [email protected]