security and lawful intercept - tmcnet · pdf filesecurity and lawful intercept in voip...

Security and Lawful Intercept In VoIP Networks

Manohar MahavadiCentillium Communications Inc.Fremont, California

www.voipdeveloper.comAugust 8-10, 2006

Santa Clara, CaliforniaHyatt Regency Santa Clara

Agenda

• VoIP: Packet switched network• VoIP devices• VoIP protocols• Security and issues in VoIP networks• CALEA



VoIP: Packet Switched Network

BroadbandNetwork

Internet PSTN

Media Gateway

VoIP Phone

POTSPhone

DSLAMRouter

Modem

Modem

PC



VoIP Devices

• Media servers– Call controllers– Conferencing servers– Text-to-speech (TTS) servers– Voice or video servers

• Media gateways– Analog (PSTN) IP (VOIP)– H.323 ISDN– IP ATM, TDM IP



VoIP Devices

• Security devices– Firewalls– Intrusion detection systems (IDS)– Intrusion prevention systems (IPS)– VPN gateways

• Switching and routing devices• End points

– SIP user agents– Terminals– Soft-phones



VoIP Protocols

• Signaling protocols– Call configuration and management

• Call setup and teardown, call control• Capability exchange

– Codecs, tones, etc.• Supplementary services

– Conferencing, call forwarding, call transfer

– H.323 protocol suite• ITU-T standard• Mature, well-deployed but complex

– Session initiation protocol (SIP)• IETF standard• Upcoming, gaining popularity and simple



VoIP Protocols

• Data protocols– Real-time transport protocols (RTP)

• RFC 1889• Transport of voice and video over UDP• Support for packet loss discovery and ordered delivery

– Sequence#• Support for delay and jitter calculations

– Timestamp

– RTP control protocol (RTCP)• RFC 1889• Periodic exchange of control information

– Sender reports, receiver reports, source description• Optional encryption prefix for DES



VoIP Protocols: H.323 Architecture

• Terminal– Endpoint on a network providing real-time communications

with other devices, including gateways, MCUs and gatekeepers– Implements one or more codecs – Example: Microsoft NetMeeting

• Multipoint controller unit (MCU)– Manages multipoint conferences between three or more end points– Multipoint controllers (MC) handle call control

• Capability set to all participants, join-in/drop-out managing– Multipoint processors (MP) (optional)

• Perform media exchange in a conference• Processes the actual media streams



VoIP Protocols: H.323 Architecture

• Gateway– Protocol conversion between H.323 networks and other networks

such as ISDN or PSTN (packet networks and circuit switched networks)– Acts as terminal on packet network side and mode on circuit network side

• Ability to set up and terminate calls– Provides translation

• Data format• Control signal• Audio and video codec

• Gatekeeper– Central management and control services– Registration of terminals, gateways and MCUs– Address translation, access controls, bandwidth management, routing



VoIP Protocols: SIP Architecture

• SIP user agents– Endpoint or end-station– Client/server architecture– User agent client and user agent server

• SIP servers– Proxy server

• Maintains current locations of registered user agents and helps in-call management

• Incoming call forking to multiple locations• Logs information for billing and information

– Redirect server• Provides name resolution and user location• Does not participate in call establishment

• SIP registrar– Provides location information service



VoIP Support Protocols

• DNS – Name resolution, address conversion• TFTP – Software downloads and file transfer• SNMP – Management and configuration• DHCP – Dynamic address allocation• RSVP – QoS allocation• SDP – Sharing of client session abilities



Security Issues in VoIP

• Scams– In June 2006, federal authorities arrested a Miami man

for reselling Internet telephone service by hacking into lines of legitimate telephone companies

• Piggybacking since VoIP is not secured



Security: Basic Requirements

• Privacy– Encryption: symmetric and asymmetric keys– DES– 3DES– AES

• Integrity– MD5, HMAC-MD5 – SHA-1, HMAC-SHA-1

• Authentication– RADIUS– PKI– Digital certificates



Security: Network Security Threats

• DOS attacks – CPU resource starvation– Service degradation or disruption

• Random TCP, UDP or ICMP packets on random ports– Example: packets with urgent flag

• Bogus messages– Premature termination

• Control packet flood

– Securing a packet is not relevant and not a cure



Security: Network Security Threats

• Call interception and hijacking– DNS poisoning

• SIP uses SRV records to locate SIP services• Call redirection: SRV record changes pointing to servers

rather than actual ones

– ARP spoofing (cache poisoning)• MAC address manipulation

– Session hijacking due to rerouting– Session interception and message tampering– Encryption for mitigation



Security: Enforcement

• Firewalls– Network layer: Source address, destination address– Application layer: FTP, HTTP, e-mail, etc.– Stateful firewalls: Inbound responses to outbound requests permitted– Network address translation (NAT): Internal IP address shielding

• Intrusion detection and reporting– Counter-based– Traffic-anomaly-based– Logging and reporting– False alarms

• Intrusion prevention– Detect and drop– Detect and throttle– Dynamic reconfiguration



Security: Enforcement

• Systems– Virus scanning– E-mails with attachments– File downloads and piggybacking– Scan, detect and quarantine– Logging and reporting

• VPN gateways– Secure tunnels between gateways– Bulk encryption– Road warriors – remote access



Security: Network-based

LAN Internet PSTN

FirewallIDS/IPS Firewall IDS/IPS

Media Gateway

VoIP Phone

POTSPhone

Soft-phone



Security: Host-based

BroadbandNetwork

Internet PSTN

FirewallIDS/IPS

Media Gateway

VoIP Phone

POTSPhone

DSLAMRouter w/Firewall

Modem

Modem

MS FirewallMS Anti-virus

PC



Security: Software TechniquesUser namePasswordS/MIME

Application LayerEMAIL NFS

MS WordFTP

Presentation LayerSession Layer

Transport Layer SSL TSL

IPSEC

UDPTCP

Network Layer

Data Link Layer

Physical Layer



S/MIME Protocol

• Secure multipurpose Internet mail extensions• Enables secure transmission, storage and

authentication of data• Applications

– Electronic Data Interchange over Internet (EDI-INT)– Storage and transfer of bank statements,

financial forms, etc.– Electronic billing and payments, online sales, etc.– Secure patient records and record management



SSL/TLS Protocols

• Secure sockets layer (SSL) developed by Netscape• Transport layer security (TLS) IETF standard (RFC2246)

based on SSL 3.0• SSL and TLS used for point-to-point application security• Not interoperable: TLS or SSL negotiated in the beginning• Applications

– Remote access for management and control– Secure account management– Travel reservations



IPSEC Protocol

• Secures data through insecure channels • Policy-based enforcement (hosts, applications, etc.) • Tunnel mode of operation

– Between gateways, creating tunnel connecting two or more networks– Encrypts payload and header of IP packets

• Transport mode of operation– Between end points or between an end point and gateway– Encrypts payload of IP packet only

• Applications– VPNs connecting geographically separate networks– Bulk data transfers– Mobile users/road warriors



IPSEC: Protocols

Authentication Header (AH)

IP Header Data

IP Header DataNew IP Header AH

Tunnel ModeAuthenticated

IP Header Data

DataTransport Mode

Authenticated

AHIP Header



IPSEC: Protocols

Encapsulating Security Payload (ESP)

IP Header Data

IP Header DataNew IP Header ESP Header

Tunnel ModeESP and AH

Encrypted

IP Header Data

Data

Transport ModeESP and AH Authenticated

ESP HeaderIP Header

ESP Trailer ICV

Authenticated

ESP Trailer ICV

Encrypted



Understanding LI/CALEA

Surveillance Model




• The intercept function is viewed as five broad categories– Access function

• One or more intercept access points (IAPs) – Delivery function

• Call content channels (CCCs) and call data channels (CDCs)– Collection function

• Collecting and analyzing intercepted communications – Service provider administration function

• Controlling the TSP access and delivery functions – Law enforcement administration function

• Controlling the LEA collection function




Circuit IAP for a Two-way Communication




Packet IAP for a Two-way Communication



LI/CALEA Model for TDM_PKT_CHNL

Law Interception (LI) on Circuit (TDM) or Packet (PKT) Channel for TDM_PKT_CHANNEL

LITDM

Encoder D

Decoder D

DSP NPNP Packetizer

UnPacketizer B

IP Phone

TDM_PKT _CHANNEL

A

Legacy Phone EC

TAP TRAFFIC COMING TO PKT

LIPKT

NP PacketizerTAP TRAFFIC COMING FROM PKT)

NP Packetizer



LI/CALEA Model for PKT_PKT_CHNL

Encoder

DecoderDSP

NPPacketizer

UnPacketizer

Encoder

DecoderDSP

NPPacketizerUnPacketizer

EncoderDSPNP

Packetizer LI_B

EncoderDSP

NPPacketizer

LI_A

TDM_PKT_CHNL

PKT_PKT_CHNL

TDM_PKT_CHNL

PKT_PKT_CHNL

B IP Phone

A IP Phone

Law Interception (LI) on Packet (PKT) Channel for PKT_PKT_CHANNEL (e.g., wireless hands-off)



LI/CALEA Model For TDM_PKT_CONF_CHNL

CALEA Model with Conferencing

security and lawful intercept - tmcnet · pdf filesecurity and lawful intercept in voip...

Documents