1Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Protecting Service Infrastructure.

Slides:



Advertisements
Similar presentations
SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.
Advertisements

Addressing Security Issues IT Expo East Addressing Security Issues Unified Communications SIP Communications in a UC Environment.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Voice over IP Fundamentals
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
The study and demonstration on SIP security vulnerabilities Mahidhar Penigi Vamsi Krishna Karnati.
January 23-26, 2007 Ft. Lauderdale, Florida An introduction to SIP Simon Millard Professional Services Manager Aculab.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
5-Network Defenses Dr. John P. Abraham Professor UTPA.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Securing Unified Communications Mor Hezi VP Unified Communications AudioCodes.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
 3G is the third generation of tele standards and technology for mobile networking, superseding 2.5G. It is based on the International Telecommunication.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Web server security Dr Jim Briggs WEBP security1.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Secure Telephony Enabled Middle-box (STEM) Maggie Nguyen Dr. Mark Stamp SJSU - CS 265 Spring 2003 STEM is proposed as a solution to network vulnerabilities,
Lecture 15 Denial of Service Attacks
SIP Greg Nelson Duc Pham. SIP Introduction Application-layer (signaling) control protocol for initiating a session among users Application-layer (signaling)
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
SIP and NAT Dr. Jonathan Rosenberg Cisco Fellow. What is NAT? Network Address Translation (NAT) –Creates address binding between internal private and.
Virtual Private Network
IT Expo SECURITY Scott Beer Director, Product Support Ingate
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
OSI Model Routing Connection-oriented/Connectionless Network Services.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion Steven Johnson President, Ingate Systems Inc.
 Introduction  VoIP  P2P Systems  Skype  SIP  Skype - SIP Similarities and Differences  Conclusion.
Chapter 6: Packet Filtering
RIPE64 Enum Working Group DE-CIX NGN Services.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Connecting to the Network Networking for Home and Small Businesses.
Quintum Confidential and Proprietary 1 Quintum Technologies, Inc. Session Border Controller and VoIP Devices Behind Firewalls Tim Thornton, CTO.
VoIP Security in Service Provider Environment Bogdan Materna Chief Technology Officer Yariba Systems.
VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Sridhar Ramachandran Chief Technology Officer Core Session Controller.
Chapter 15 – Part 2 Networks The Internal Operating System The Architecture of Computer Hardware and Systems Software: An Information Technology Approach.
Module 10: How Middleboxes Impact Performance
Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.
Denial of Service DoS attacks try to deny legimate users access to services, networks, systems or to other resources. There are DoS tools available, thus.
Unleashing the Power of IP Communications™ Calling Across The Boundaries Mike Burkett, VP Products September 2002.
Interactive Connectivity Establishment : ICE
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
PACKET SWITCHING AND CIRCUIT SWITCHING AS PART OF NETWORK AND HARDWARE.
“End to End VoIP“ The Challenges of VoIP Access to the Enterprise Charles Rutledge VP Marketing Quintum Technologies
Confidentiality using Conventional Encryption Chapter 5.
K. Salah1 Security Protocols in the Internet IPSec.
Peer-to-Peer Solutions Between Service Providers David A. Bryan CTO, Jasomi Networks October 10, 2002 – Fall VON, Atlanta, GA.
S ECURITY APPLIANCES Module 2 Unit 2. S ECURE NETWORK TOPOLOGIES A topology is a description of how a computer network is physically or logically organized.
Fortinet VoIP Security June 2007 Carl Windsor.
VoIP ALLPPT.com _ Free PowerPoint Templates, Diagrams and Charts.
IP Telephony (VoIP).
Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)
Domain 4 – Communication and Network Security
Outline Basics of network security Definitions Sample attacks
Chapter 4 Data Link Layer Switching
The study and demonstration on SIP security vulnerabilities
Session Initiation Protocol (SIP)
Introduction to Networking
Introduction to Networking
Firewalls.
Network Security: IP Spoofing and Firewall
* Essential Network Security Book Slides.
Outline Basics of network security Definitions Sample attacks
Outline Network characteristics that affect security
Ingate & Dialogic Technical Presentation
Outline Basics of network security Definitions Sample attacks
Lecture 36.
Lecture 36.
Presentation transcript:

1Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Protecting Service Infrastructure Against Dos Attacks Dave Gladwin

2 Agenda What is a DoS attack? What is under attack? How are networks interconnected? What steps can be taken? How can we protect the interconnections? How can we protect the Clients?

3 What is an attack? Phreakers and hackers From phones to computers and back again Stealing services Disrupting services Attacks can be classed as Logic Attacks or Flood Attacks Logic attacks exploit vulnerabilities in protocols or their implementations E.g. Ping of death, Teardrop, Land etc. Flood attacks disable targets through traffic volume A flood attack can originate from a single platform - Denial of Service (DoS) attack Or from multiple platforms - Distributed Denial of Service (DDoS) attack

4 DoS and DDoS Attacking Machine Target Machine Attack Control Machine Target Machine Zombies DoSDDoS

5 What are the Targets? Targets: SIP servers SIP proxies SIP clients Launch pads: SIP servers SIP proxies SIP clients The SIP environment is subject to existing DoS attacks …and newer SIP specific attacks

6 PSTN Networks International Switch International Switch International Switch Local Switch PSTN SS7 between Carriers International Switch is demarcation point between carriers

7 Hybrid Networks #1 Local Switch PSTN Access IP Core Media Gateway Media Gateway Media Gateway PSTN Media Gateway converts PSTN call to IP Media Gateway converts IP call back to PSTN for breakout IP core introduced typically to reduce transport costs

8 Hybrid Networks #2 Peering Networks interconnected using Media Gateways Media Gateways create demarcation for security and accounting Limited to voice calls only

9 IP Interconnect Peer Networks interconnected using Session Controllers Session Controllers create demarcation for security and accounting Voice or Multimedia calls

10 Peer-to-Peer characteristics Web browsing is essentially anonymous Multimedia peer-to-peer is not A SIP client has a public presence SIP Registration means public visibility of client Public visibility means potential targets Clients and Servers can become targets or launch pads SIP Signalling attacks – partly logic, partly flood Media attacks – pure floods

11 IP Telephony Security Like any security system - Multiple levels are needed Some safeguards are built into the Protocol End-to-end encryption (client based) Encrypts message body and some header fields Does not hide TO and VIA fields Hop-by-hop encryption of via fields (SIP server based) Hide Hop or Hide Route Network partitioning Use of session controllers to provide demarcation Access control Use of session controllers to police resource utilization

12 Networks partitioning Protect the core network edges – Peer and access Prevention and cure – hide, limit and block Hide Network topology Remove ALL internal network information from IP and SIP messages Proxy offers higher levels of security and privacy for users Only the Proxy address is seen Helps prevent clients being used as launch pads Inserts dedicated device in the path Block unsolicited media - Wire speed packet dropping: - Conventional DoS attacks at IP level - RTP/SIP INVITE attacks Limit bandwidth consumption - Media throttling Signalling integrity checks

13 Network Topology hiding 1 st VIA 2 nd VIA SIP Client IP address A As SIP message traverses the network it may have VIAs added When packet arrives at Peer Network, the Source Address and VIAs provide a roadmap Don’t make it easy – Hide all this detail Core IP Network To Peer Network X Y SIP message Source: A VIA1: X VIA2: Y

14 Networks Topology hiding 1 st VIA 2 nd VIA SIP Client IP address A Session Controller B Session Controller proxies source address of message Both IP and SIP parts of message are updated All VIA information removed Core IP Network To Peer Network SIP message Source: B No VIAs

15 Benefits Network advertises SIP Call Agent address as Peer Session Controller to external networks Any call entering or leaving the network appears to come from the address of the Session Controller All internal network details are hidden Signalling and Media paths are tied together at this point which means… Media Bandwidth can be policed Unsolicited Media can be dropped

16 Media policing SIP Client IP address A B Core IP Network Signalling indicates Bandwidth Session Controller Polices actual bandwidth Media Exceeds Bandwidth Protects Network Peering points Prevents excessive media in Core Network Protects Clients

17 Blocking of Unsolicited Media SIP Client IP address A B Core IP Network No Media path opened by signalling Session Controller Unsolicited Media received Session Controller only opens ports for specific source/destination IP address/port pairs Non-matching media is dropped at wire speed Protects Core and Clients

18 User Security and Privacy Access Network Core Network SIP Client A Call Agent SIP Client Registers address A Address is now a ‘public’ address Unsolicited media can be directed at this address Difficult for the Service Provider to police Unsolicited Media

19 User Security and Privacy Access Network Core Network SIP Client A Call Agent SIP Client Registers – message is routed via the Session Controller Session Controller modifies source address to one of its own ‘B’ Address ‘B’ is now the ‘public’ address for Client A Unsolicited media directed at this address is dropped at wire speed Simple for the Service Provider to police Session Controller B Unsolicited Media

20 Example Media Attack Example: Attacker learns Client A’s registered address Attacker sends INVITE to SIP Media Server Spoofing target's address Client A and Access Network saturated with Media packets Access Network Core Network SIP Client A SIP Media Server Attacker sends INVITE to Media Server, Source address: Client A Media Server streams Media to Client A

21 Media Attack Limited Example: Attacker learns Client A’s registered address (Proxy) Attacker sends INVITE to SIP Media Server spoofing target's proxied address Session Controller does not have a valid media path set up for Client A All unsolicited media is dropped - Access Network and Client protected Access Network Core Network SIP Client A SIP Media Server Attacker sends INVITE to Media Server, Source address: Proxy address of Client A Media Server streams Media to Proxy Session Controller

22 Partitioned Network Peering points connected via Session Controllers Provides media protection, accounting, and topology hiding Corporate networks accessed via Session Controllers Clients and Access Networks protected from unsolicited and excessive media

23 Other activities STEM - Secure Telephony Enabled Middlebox Proposal for a Middlebox solution aimed at improving security of Enterprise telephony services ICE - Interactive Connectivity Establishment Proposal for a client based connectivity solution Makes use of STUN (Simple Traversal of UDP through NAT) Connectivity is confirmed before media is sent

24 Summary DoS needs targets Implement ‘Hiding’ and encryption wherever possible Reveal as little as possible Hide entire network at the Peering point Don’t advertise internal network addresses Hide real clients in the access side Don’t advertise real client addresses Partition the Network with Session Controllers Block unsolicited Media Police actual media bandwidth Limits the scope of any attack

25Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Thank You Dave Gladwin

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.