1 Sipera Systems, Proprietary & Confidential IMS Security and Protection Micaela Giuhat VP Product Management Sipera Systems

2 Sipera Systems, Proprietary & Confidential Outline Open system security VoIP security requirements Industry approach and strategies IMS security requirements IMS vulnerabilities Attack examples Solution Summary

3 Sipera Systems, Proprietary & Confidential Denial of Service Attacks Viruses SPYware Blended Attacks SPAM Open Systems can be attacked Internet External Web Servers Internal Web Servers Servers Traditional voice network is closed system VS Internet which is open Core Network Bad Guys

4 Sipera Systems, Proprietary & Confidential The Internet Security Industry Applications Protected Web Apps Database Internet External Web Servers Internal Web Servers Servers IDS Firewall But… Problems still persist Core Network IPS SPAM Filter Network Security Logs Correlation

5 Sipera Systems, Proprietary & Confidential Enter VoIP Internet External Web Servers Internal Web Servers Servers IDS Firewall Communication Servers IPS SPAM Filter Network Security Logs Correlation VoIP is different … Real time Peer-to-peer Protocol rich Complex state machine (several dozen states) Feature rich (several hundred services) Separate signaling & media planes Low tolerance to false positives & negatives Core Network

6 Sipera Systems, Proprietary & Confidential Internet External Web Servers Internal Web Servers Servers IPS SPAM Filter Network Security Logs Correlation IDS Firewall Communication Servers Current Industry Approach Approach is unworkable: 1. Not real time 2. Cannot handle encrypted traffic 3. Can’t keep up with new feature addition Current Industry thinking is to add VoIP sensibilities to all the existing security boxes; Although nothing is actually available yet … Core Network

7 Sipera Systems, Proprietary & Confidential Hard to manage Will not meet performance specifications Does not address multi vendor Cannot keep up with new features Not available yet Current Strategies Core switch PSTN GW Guard Security Agent FW/ALG Certs IDS/IPS Protect against Windows OS vulnerabilities Opens pinholes Authentication Encryption Scrub IP DoS/DDoS Traffic VoIP Traffic analysis Signature/Anomaly Filtering Event Correlation Remediation ALG is vulnerable Cannot stop Spoofed Caller IDs Limited signatures May block Good calls

8 Sipera Systems, Proprietary & Confidential Integrated, real time VoIP security solution that comprehensively tackles all VoIP vulnerabilities, both Enterprise & Carrier Internet External Web Servers Internal Web Servers Servers IPS SPAM Filter Network Security Logs Correlation IDS Firewall Communication Servers Desired Approach IP Communications Security (IPCS) Solution Core Network

9 Sipera Systems, Proprietary & Confidential Tolerance for False Negatives: Vs Voice Security Device Server Store Analyze Forward in near-real time Delivery Mode: may not be extracted Immediately; can be deleted fairly easily; low annoyance level False negative Low volume attack Security Device Call delivered in real time; phone rings constantly; high annoyance level Call Delivery Mode: Analyze Forward in real time False negative Call Server Low volume Voice attack

10 Sipera Systems, Proprietary & Confidential Anti-SPAMFirewallIntrusion Prevention SystemDenial of Service PreventionNetwork Level CorrelationIntrusion Detection System Typical Solution vs. Desired Solution OSIPWeb OSIPWeb database IPWeb OSIPWeb OSIPWeb database VoIP Comprehensive Integrated Security Solution for Communications Applications (VoIP, IM, Video, Multi-Media)

11 Sipera Systems, Proprietary & Confidential Comprehensive IMS Security System A Comprehensive IMS Security System must: – Prevent unauthorized usage – Protect end-user privacy – Protect IMS infrastructure from attacks – Protect end-users from attacks – Handle voice SPAM

12 Sipera Systems, Proprietary & Confidential Protection Techniques Authentication (SIM) Encryption (IPSec, TLS) IMS Aware Firewall (Policy based filters: URL/IMSI/MSISDN/AP/IP white/black lists, etc) IMS Intrusion Prevention (Call Stateful Deep packet inspection (IMS decode), Behavioral learning (finger printing), Protocol fuzzing prevention, media filtering, etc.) IMS SPAM Filter (User control, Behavioral learning (call patterns, trust scores), Machine Call detection, etc. IMS Network Level Security Management (Event correlation, Network Threat Protection ) Vulnerabilities Unauthorized usePrivacy Attacks on Infrastructure Attacks on End-users IMS SPAM Well Defined by 3GPP, Addressed by Core IMS infrastructure: SIM, HSS, AAA, PDG Not addressed Security Aspects addressed in IMS

13 Sipera Systems, Proprietary & Confidential IP Traffic Characteristics Non-Real time Client - Server Real time IMS/SIP/H.248/RTP/MPEG aware Call State & Service aware WebDatabaseVoIPIMSIP TV Existing Internet Security Solutions Not addressed TCP/UDP/ICMP/FTP/HTTP/SQL aware Peer - Peer User & Traffic Behavioral Learning Security Aspects addressed in IMS

14 Sipera Systems, Proprietary & Confidential IMS reference architecture IP Transport (Access and Core) AS HSS P-CSCF S- BGCF I-CSCF SLF Charging Functions UE Mw Mr Mg Mj Mi MpMn Gq ISCCx Dx Dh Sh Rf/Ro Cx MRFC MGCF MRFP Mi Mw AS HSS GGSN P-CSCF S- BGCF I-CSCF SLF Charging Functions UE Mw Mr Mg Mj Mi MpMn ISCCx Dx Dh Sh Rf/Ro Cx MRFC MGCF MRFP Mi Mw SIP DIAMETER H.248 PDF MRFPMGW PSTN IP Transport (Access and Core)

15 Sipera Systems, Proprietary & Confidential IMS & SIP enable a rich feature set of Converged Services ….. but also open up the network to IP based vulnerabilities IMS & SIP vulnerabilities include: OS level vulnerabilities IP Layer 3 vulnerabilities IMS Framework related vulnerabilities SIP/RTP/H.248/etc. protocol vulnerabilities VoIP/Video/PoC/etc. Application vulnerabilities VoIP SPAM Well known in the data world New, unique & real time sensitive Application level vulnerabilities P/S/I CSCF SLF/PDF/IBCF/IWF MGCF MRFC BGCF SGF MGW MRFP T-MGF IMS core IMS Vulnerabilities SIP Server Call Server Media Gateway HSSAppsChrg IP-IP GW ABGF IBGF

16 Sipera Systems, Proprietary & Confidential IMS Architecture Vulnerabilities: Some Examples Compromised mobile phones –Zombie hard/soft phones –Modified phone with malicious intent Malicious/Malformed/Spoofed signaling attacks Malicious/Malformed/Spoofed media attacks Spoofed IMS Emergency session attacks Presence update attacks Initiating Conferencing to block the network resources UE having direct access to the IMS core network –Charging fraud - Signaling directly to S-CSCF to avoid charging Misconfigured/partially configured UEs and/or Network elements Non-GPRS access such as WLAN or BB can be attacked directly from the internet without a subscription SPAM

17 Sipera Systems, Proprietary & Confidential IMS Application Level Attacks Zombie attackers Spoofed Packets Spammer P/S/I CSCF SLF/PDF/IBCF/IWF MGCF MRFC BGCF SGF MGW MRFP T-MGF MMD core SIP ServerCall Server Media Gateway HSSAppsChrg IP-IP GW ABGF IBGF Both Network & Subscribers can be attacked Human attackers Attack Types: Flood Denial of Service Signaling Media Distributed DoS Stealth DoS Target individual or group of users Blended attacks Recruit zombies and use them to launch an attack SPAM SPAM over Internet Telephony (SPIT)

18 Sipera Systems, Proprietary & Confidential IMS Vulnerability Protection System Reference Architecture Zombie attackers Human attackers Spammer IMS Vulnerability Protection System IMS Vulnerability Protection System is distinct from the IMS core infrastructure P/S/I CSCF SLF/PDF/IBCF/IWF MGCF MRFC BGCF SGF MGW MRFP T-MGF IMS core SIP Server Call Server Media Gateway HSSAppsChrg IP-IP GW ABGF IBGF

19 Sipera Systems, Proprietary & Confidential Attack Summary An IMS network built to 3GPP or TISPAN specifications compliance has numerous vulnerabilities An attack on the network could cause network-wide outages including bringing down HSSs, App Servers, SIP servers, Call Servers, Media Gateways and IP-IP Gateways Attacks towards specific targeted individual users could cause them extreme annoyance and disrupt their service in insidious ways Sipera Systems research team has identified over 90 distinct categories of attacks These attacks require hackers with varying levels of sophistication, but many attacks are possible even by so called “script kiddies”