security and lawful intercept - tmcnet · pdf filesecurity and lawful intercept in voip...
TRANSCRIPT
Security and Lawful Intercept In VoIP Networks
Manohar MahavadiCentillium Communications Inc.Fremont, California
www.voipdeveloper.comAugust 8-10, 2006
Santa Clara, CaliforniaHyatt Regency Santa Clara
Agenda
• VoIP: Packet switched network• VoIP devices• VoIP protocols• Security and issues in VoIP networks• CALEA
www.voipdeveloper.comAugust 8-10, 2006
Santa Clara, CaliforniaHyatt Regency Santa Clara
VoIP: Packet Switched Network
BroadbandNetwork
Internet PSTN
Media Gateway
VoIP Phone
POTSPhone
DSLAMRouter
Modem
Modem
PC
www.voipdeveloper.comAugust 8-10, 2006
Santa Clara, CaliforniaHyatt Regency Santa Clara
VoIP Devices
• Media servers– Call controllers– Conferencing servers– Text-to-speech (TTS) servers– Voice or video servers
• Media gateways– Analog (PSTN) IP (VOIP)– H.323 ISDN– IP ATM, TDM IP
www.voipdeveloper.comAugust 8-10, 2006
Santa Clara, CaliforniaHyatt Regency Santa Clara
VoIP Devices
• Security devices– Firewalls– Intrusion detection systems (IDS)– Intrusion prevention systems (IPS)– VPN gateways
• Switching and routing devices• End points
– SIP user agents– Terminals– Soft-phones
www.voipdeveloper.comAugust 8-10, 2006
Santa Clara, CaliforniaHyatt Regency Santa Clara
VoIP Protocols
• Signaling protocols– Call configuration and management
• Call setup and teardown, call control• Capability exchange
– Codecs, tones, etc.• Supplementary services
– Conferencing, call forwarding, call transfer
– H.323 protocol suite• ITU-T standard• Mature, well-deployed but complex
– Session initiation protocol (SIP)• IETF standard• Upcoming, gaining popularity and simple
www.voipdeveloper.comAugust 8-10, 2006
Santa Clara, CaliforniaHyatt Regency Santa Clara
VoIP Protocols
• Data protocols– Real-time transport protocols (RTP)
• RFC 1889• Transport of voice and video over UDP• Support for packet loss discovery and ordered delivery
– Sequence#• Support for delay and jitter calculations
– Timestamp
– RTP control protocol (RTCP)• RFC 1889• Periodic exchange of control information
– Sender reports, receiver reports, source description• Optional encryption prefix for DES
www.voipdeveloper.comAugust 8-10, 2006
Santa Clara, CaliforniaHyatt Regency Santa Clara
VoIP Protocols: H.323 Architecture
• Terminal– Endpoint on a network providing real-time communications
with other devices, including gateways, MCUs and gatekeepers– Implements one or more codecs – Example: Microsoft NetMeeting
• Multipoint controller unit (MCU)– Manages multipoint conferences between three or more end points– Multipoint controllers (MC) handle call control
• Capability set to all participants, join-in/drop-out managing– Multipoint processors (MP) (optional)
• Perform media exchange in a conference• Processes the actual media streams
www.voipdeveloper.comAugust 8-10, 2006
Santa Clara, CaliforniaHyatt Regency Santa Clara
VoIP Protocols: H.323 Architecture
• Gateway– Protocol conversion between H.323 networks and other networks
such as ISDN or PSTN (packet networks and circuit switched networks)– Acts as terminal on packet network side and mode on circuit network side
• Ability to set up and terminate calls– Provides translation
• Data format• Control signal• Audio and video codec
• Gatekeeper– Central management and control services– Registration of terminals, gateways and MCUs– Address translation, access controls, bandwidth management, routing
www.voipdeveloper.comAugust 8-10, 2006
Santa Clara, CaliforniaHyatt Regency Santa Clara
VoIP Protocols: SIP Architecture
• SIP user agents– Endpoint or end-station– Client/server architecture– User agent client and user agent server
• SIP servers– Proxy server
• Maintains current locations of registered user agents and helps in-call management
• Incoming call forking to multiple locations• Logs information for billing and information
– Redirect server• Provides name resolution and user location• Does not participate in call establishment
• SIP registrar– Provides location information service
www.voipdeveloper.comAugust 8-10, 2006
Santa Clara, CaliforniaHyatt Regency Santa Clara
VoIP Support Protocols
• DNS – Name resolution, address conversion• TFTP – Software downloads and file transfer• SNMP – Management and configuration• DHCP – Dynamic address allocation• RSVP – QoS allocation• SDP – Sharing of client session abilities
www.voipdeveloper.comAugust 8-10, 2006
Santa Clara, CaliforniaHyatt Regency Santa Clara
Security Issues in VoIP
• Scams– In June 2006, federal authorities arrested a Miami man
for reselling Internet telephone service by hacking into lines of legitimate telephone companies
• Piggybacking since VoIP is not secured
www.voipdeveloper.comAugust 8-10, 2006
Santa Clara, CaliforniaHyatt Regency Santa Clara
Security: Basic Requirements
• Privacy– Encryption: symmetric and asymmetric keys– DES– 3DES– AES
• Integrity– MD5, HMAC-MD5 – SHA-1, HMAC-SHA-1
• Authentication– RADIUS– PKI– Digital certificates
www.voipdeveloper.comAugust 8-10, 2006
Santa Clara, CaliforniaHyatt Regency Santa Clara
Security: Network Security Threats
• DOS attacks – CPU resource starvation– Service degradation or disruption
• Random TCP, UDP or ICMP packets on random ports– Example: packets with urgent flag
• Bogus messages– Premature termination
• Control packet flood
– Securing a packet is not relevant and not a cure
www.voipdeveloper.comAugust 8-10, 2006
Santa Clara, CaliforniaHyatt Regency Santa Clara
Security: Network Security Threats
• Call interception and hijacking– DNS poisoning
• SIP uses SRV records to locate SIP services• Call redirection: SRV record changes pointing to servers
rather than actual ones
– ARP spoofing (cache poisoning)• MAC address manipulation
– Session hijacking due to rerouting– Session interception and message tampering– Encryption for mitigation
www.voipdeveloper.comAugust 8-10, 2006
Santa Clara, CaliforniaHyatt Regency Santa Clara
Security: Enforcement
• Firewalls– Network layer: Source address, destination address– Application layer: FTP, HTTP, e-mail, etc.– Stateful firewalls: Inbound responses to outbound requests permitted– Network address translation (NAT): Internal IP address shielding
• Intrusion detection and reporting– Counter-based– Traffic-anomaly-based– Logging and reporting– False alarms
• Intrusion prevention– Detect and drop– Detect and throttle– Dynamic reconfiguration
www.voipdeveloper.comAugust 8-10, 2006
Santa Clara, CaliforniaHyatt Regency Santa Clara
Security: Enforcement
• Systems– Virus scanning– E-mails with attachments– File downloads and piggybacking– Scan, detect and quarantine– Logging and reporting
• VPN gateways– Secure tunnels between gateways– Bulk encryption– Road warriors – remote access
www.voipdeveloper.comAugust 8-10, 2006
Santa Clara, CaliforniaHyatt Regency Santa Clara
Security: Network-based
LAN Internet PSTN
FirewallIDS/IPS Firewall IDS/IPS
Media Gateway
VoIP Phone
POTSPhone
Soft-phone
www.voipdeveloper.comAugust 8-10, 2006
Santa Clara, CaliforniaHyatt Regency Santa Clara
Security: Host-based
BroadbandNetwork
Internet PSTN
FirewallIDS/IPS
Media Gateway
VoIP Phone
POTSPhone
DSLAMRouter w/Firewall
Modem
Modem
MS FirewallMS Anti-virus
PC
www.voipdeveloper.comAugust 8-10, 2006
Santa Clara, CaliforniaHyatt Regency Santa Clara
Security: Software TechniquesUser namePasswordS/MIME
Application LayerEMAIL NFS
MS WordFTP
Presentation LayerSession Layer
Transport Layer SSL TSL
IPSEC
UDPTCP
Network Layer
Data Link Layer
Physical Layer
www.voipdeveloper.comAugust 8-10, 2006
Santa Clara, CaliforniaHyatt Regency Santa Clara
S/MIME Protocol
• Secure multipurpose Internet mail extensions• Enables secure transmission, storage and
authentication of data• Applications
– Electronic Data Interchange over Internet (EDI-INT)– Storage and transfer of bank statements,
financial forms, etc.– Electronic billing and payments, online sales, etc.– Secure patient records and record management
www.voipdeveloper.comAugust 8-10, 2006
Santa Clara, CaliforniaHyatt Regency Santa Clara
SSL/TLS Protocols
• Secure sockets layer (SSL) developed by Netscape• Transport layer security (TLS) IETF standard (RFC2246)
based on SSL 3.0• SSL and TLS used for point-to-point application security• Not interoperable: TLS or SSL negotiated in the beginning• Applications
– Remote access for management and control– Secure account management– Travel reservations
www.voipdeveloper.comAugust 8-10, 2006
Santa Clara, CaliforniaHyatt Regency Santa Clara
IPSEC Protocol
• Secures data through insecure channels • Policy-based enforcement (hosts, applications, etc.) • Tunnel mode of operation
– Between gateways, creating tunnel connecting two or more networks– Encrypts payload and header of IP packets
• Transport mode of operation– Between end points or between an end point and gateway– Encrypts payload of IP packet only
• Applications– VPNs connecting geographically separate networks– Bulk data transfers– Mobile users/road warriors
www.voipdeveloper.comAugust 8-10, 2006
Santa Clara, CaliforniaHyatt Regency Santa Clara
IPSEC: Protocols
Authentication Header (AH)
IP Header Data
IP Header DataNew IP Header AH
Tunnel ModeAuthenticated
IP Header Data
DataTransport Mode
Authenticated
AHIP Header
www.voipdeveloper.comAugust 8-10, 2006
Santa Clara, CaliforniaHyatt Regency Santa Clara
IPSEC: Protocols
Encapsulating Security Payload (ESP)
IP Header Data
IP Header DataNew IP Header ESP Header
Tunnel ModeESP and AH
Encrypted
IP Header Data
Data
Transport ModeESP and AH Authenticated
ESP HeaderIP Header
ESP Trailer ICV
Authenticated
ESP Trailer ICV
Encrypted
www.voipdeveloper.comAugust 8-10, 2006
Santa Clara, CaliforniaHyatt Regency Santa Clara
Understanding LI/CALEA
Surveillance Model
www.voipdeveloper.comAugust 8-10, 2006
Santa Clara, CaliforniaHyatt Regency Santa Clara
Understanding LI/CALEA
• The intercept function is viewed as five broad categories– Access function
• One or more intercept access points (IAPs) – Delivery function
• Call content channels (CCCs) and call data channels (CDCs)– Collection function
• Collecting and analyzing intercepted communications – Service provider administration function
• Controlling the TSP access and delivery functions – Law enforcement administration function
• Controlling the LEA collection function
www.voipdeveloper.comAugust 8-10, 2006
Santa Clara, CaliforniaHyatt Regency Santa Clara
Understanding LI/CALEA
Circuit IAP for a Two-way Communication
www.voipdeveloper.comAugust 8-10, 2006
Santa Clara, CaliforniaHyatt Regency Santa Clara
Understanding LI/CALEA
Packet IAP for a Two-way Communication
www.voipdeveloper.comAugust 8-10, 2006
Santa Clara, CaliforniaHyatt Regency Santa Clara
LI/CALEA Model for TDM_PKT_CHNL
Law Interception (LI) on Circuit (TDM) or Packet (PKT) Channel for TDM_PKT_CHANNEL
LITDM
Encoder D
Decoder D
DSP NPNP Packetizer
UnPacketizer B
IP Phone
TDM_PKT _CHANNEL
A
Legacy Phone EC
TAP TRAFFIC COMING TO PKT
LIPKT
NP PacketizerTAP TRAFFIC COMING FROM PKT)
NP Packetizer
www.voipdeveloper.comAugust 8-10, 2006
Santa Clara, CaliforniaHyatt Regency Santa Clara
LI/CALEA Model for PKT_PKT_CHNL
Encoder
DecoderDSP
NPPacketizer
UnPacketizer
Encoder
DecoderDSP
NPPacketizerUnPacketizer
EncoderDSPNP
Packetizer LI_B
EncoderDSP
NPPacketizer
LI_A
TDM_PKT_CHNL
PKT_PKT_CHNL
TDM_PKT_CHNL
PKT_PKT_CHNL
B IP Phone
A IP Phone
Law Interception (LI) on Packet (PKT) Channel for PKT_PKT_CHANNEL (e.g., wireless hands-off)
www.voipdeveloper.comAugust 8-10, 2006
Santa Clara, CaliforniaHyatt Regency Santa Clara
LI/CALEA Model For TDM_PKT_CONF_CHNL
CALEA Model with Conferencing