SIP Security & the Future of VoIP Nate Klingenstein APAN 26 Queenstown August 5, 2008 ~ndk/apanSIP.pdf.

Slides:

Advertisements

Similar presentations

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.

Advertisements

U N L E A S H I N G A S E R V I C E S R E N A I S S A N C E SIP SIP Security Jonathan Rosenberg Chief Scientist.

SURA/ViDe 4th Annual Workshop SIP, Security & Threat Models Dr. Samir Chatterjee School of Information Science Claremont Graduate University Claremont,

Network Systems Sales LLC

Addressing Security Issues IT Expo East Addressing Security Issues Unified Communications SIP Communications in a UC Environment.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom - version 1.0 Voice over IP (VoIP)

Guide to Network Defense and Countermeasures Second Edition

The study and demonstration on SIP security vulnerabilities Mahidhar Penigi Vamsi Krishna Karnati.

VPN: Virtual Private Network Presented by: Germaine Bacon Lizzi Beduya Betty Huang Jun Mitsuoka Juliet Polintan.

1 Kommunikatsiooniteenuste arendus IRT0080 Loeng 5 Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.

5-Network Defenses Dr. John P. Abraham Professor UTPA.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

Enabling SIP to the Enterprise Steve Johnson, Ingate Systems Security: How SIP Improves Telephony.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Universit à di Roma “ Tor Vergata ” Luca Veltri, and.

Voice over IP and IP telephony Network convergence – Telephone and IT – PoE (Power over Ethernet) Mobility and Roaming Telco – Switched -> Packet (IP)

H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

Skype Connected to a SIP PBX

Security Forum 2001John Kristoff - DePaul University1 Network Firewalls John Kristoff DePaul University Chicago, IL

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

VPN’s Kristin Belanger. VPN’s Accommodate employees at distant offices Accommodate employees at distant offices Usually set up through internet Usually.

5/3/2006 tlpham VOIP/Security 1 Voice Over IP and Security By Thao L. Pham CS 525.

VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.

Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study

IT Expo SECURITY Scott Beer Director, Product Support Ingate

Common Misconceptions Alan D. Percy Director of Market Development The Truth of Enterprise SIP Security.

Polycom Conference Firewall Solutions. 2 The use of Video Conferencing Is Rapidly Growing More and More people are adopting IP conferencing Audio and.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

The Voice Security Company Kirk Vaughan Product Director –VoIP SIP Application Security.

Copyright Security-Assessment.com 2005 VoIP 2 Is free too Expensive? by Darren Bilby and Nick von Dadelszen.

Ingate & Dialogic Technical Presentation SIP Trunking Focused.

SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion Steven Johnson President, Ingate Systems Inc.

Mobility And Anywhere Access Clancy Priest Technology Services Director City of Hayward.

VoIP security : Not an Afterthought. OVERVIEW What is VoIP? Difference between PSTN and VoIP. Why VoIP? VoIP Security threats Security concerns Design.

OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN.

Towards a Scalable and Secure VoIP Infrastructure Towards a Scalable and Secure VoIP Infrastructure Lab for Advanced Networking Systems Director: David.

 Introduction  VoIP  P2P Systems  Skype  SIP  Skype - SIP Similarities and Differences  Conclusion.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

October 15, 2002Serguei A. Mokhov, 1 Intro to Internet-services from Security Standpoint SOEN321-Information-Systems Security Revision.

Copyright Security-Assessment.com 2004 Security-Assessment.com Hacking VoIP Is your Conversation confidential? by Nick von Dadelszen and Darren Bilby.

Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.

VoIP Security in Service Provider Environment Bogdan Materna Chief Technology Officer Yariba Systems.

1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.

Firewall Technologies Prepared by: Dalia Al Dabbagh Manar Abd Al- Rhman University of Palestine

5.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 5: Planning.

IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It.

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.

©Stephen Kingham SIP Protocol overview SIP Workshop APAN Taipei Taiwan 23rd Aug 2005 By Stephen Kingham

Unleashing the Power of IP Communications™ Calling Across The Boundaries Mike Burkett, VP Products September 2002.

Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.

Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.

Security at Line Speed: Integrating Academic Research and Enterprise Security.

Voice Over Internet Protocol (VoIP) Copyright © 2006 Heathkit Company, Inc. All Rights Reserved Presentation 11 – VoIP Hardware.

Chapter 12: Secure Communications and Network Attacks.

SOSIMPLE: A Serverless, Standards- based, P2P SIP Communication System David A. Bryan and Bruce B. Lowekamp College of William and Mary Cullen Jennings.

UNIT 7 SEMINAR Unit 7 Chapter 9, plus Lab 13 Course Name – IT482 Network Design Instructor – David Roberts – Office Hours: Tuesday.

Firewalls Definition: Device that interconnects two or more networks and manages the network traffic between those interfaces. Maybe used to: Protect a.

1Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Protecting Service Infrastructure.

Contents Software components All users in one location:

The study and demonstration on SIP security vulnerabilities

Server-to-Client Remote Access and DirectAccess

Goals Introduce the Windows Server 2003 family of operating systems

Enterprise Infrastructure Solutions for SIP Trunking

Ingate & Dialogic Technical Presentation

Presentation transcript:

SIP Security & the Future of VoIP Nate Klingenstein APAN 26 Queenstown August 5, ~ndk/apanSIP.pdf

Securing SIP The threats The existing protocol’s problems Attempted solutions Skype for comparison Next steps

The Threat Model A lot like any other network application’s problems Denial-of-Service (DoS) attacks Eavesdropping / Man in the Middle Spoofing, replay, spam (SPIT) Poor authentication, authorization Demonstrated attacks

Are these threats hypothetical? Security must always be pragmatic and proportional php php Human faces and voice recognition do provide limited authentication & protection

Enterprise Middleware Many universities and companies manage information about their members Directories, databases Applications use these data for better security, auditing, user services Large benefits for enterprise webapps

Specific Problems Authentication: HTTP digest, basic Realm-specific Traffic unencrypted Trust between realms and proxies poor Disconnected from identity management infrastructure

Possible Solutions Look a lot like the solutions for other old protocols: Hack security into an old protocol Firewall everything Accept that SIP is too difficult to secure

Security Attempts Many tries with varying success New RFC’s, internet-drafts Integration with RADIUS, TLS authentication Integration with directories Improved deployment practices

SURA/ViDe 4th Annual Workshop Inter-Realm SIP Bob on a desktop With a SIP VC-UA SIP Proxy Alice on a desktop With a SIP VC-UA INVITE Invite from Bob 180 Ringing 200 OK SIP Proxy If Bob is valid, Forward INVITE Can I trust you? Sure, I belong to the same club 180 Ringing Realm CGU.EDURealm: Microsoft.com

SAML + SIP Attempt to fix three major problems Authentication methods Realm trust Connection to infrastructure internet-drafts were written to make a SAML MIME on the invite, but failed

Firewall Everything Private networks VPN IDS/IPS TLS/IPSec Dedicated hardware devices STUN & TURN

Issues with Firewall Everything Cross-realm trust not addressed Possibly multiple interfaces and/or devices with private network One more step towards Internet quarantine...

Securing SIP A combination of approaches is necessary Network-level protection Federated trust Middleware integration Phones and other hardware make modification more difficult

14 Use of IPS between VoIP network and data IP network. Use of IDS between VoIP network and data IP network. Use NAC (network access control) such as 802.1X and RADIUS to authenticate hard phones. Softphones require the use of the separate VoIP network (physical LAN, VLAN, subnet address, etc.) from the data IP network. Softphones are allowed with IPSEC transport mode. Softphones are allowed with IPSEC VPNs. Use NAC (network access control) such as 802.1X and RADIUS to authenticate hard phones. Allow NAT traversal via STUN or TURN Internet proxies. Provide separate dedicated bandwidth for VoIP traffic to the Internet. VoIP Higher Ed Security Survey Which VoIP Security mechanisms do[n’t] you use?

15 VoIP Higher Ed Security Survey

The Skype Model Proprietary, decentralized protocol RC4 encryption Firewall and NAT detection, agility Central login server, hashed SIP used by SkypeOut/SkypeIn with PSTN interconnections; gateways to SIP phones

Can SIP Learn from Skype? TLS/IPSec offer good encryption Authentication over TLS (digest/PKI/SAML) is good Bandwidth, centralization not big problems The world has no central login server Cross-domain trust not solved

Conclusions SIP needs a lot of attention to be secure Existing ideas can address some shortcomings Some efforts stopped No central work combining all efforts Some attacks don’t have cost- effective solutions

Questions?