© 2006 Solegy LLC Internal Use Only Getting Connected with SIP Encryption _______________________________ By Eric Hernaez Solegy LLC May 16, 2007.

Slides:

Advertisements

Similar presentations

The leader in session border control for trusted, first class interactive communications.

Advertisements

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.

Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra.

Encrypting Wireless Data with VPN Techniques

Addressing Security Issues IT Expo East Addressing Security Issues Unified Communications SIP Communications in a UC Environment.

Overview of SIP Media Security Options

Tom Behrens Adam Muniz. Overview What is VoIP SIP Sessions H.323 Examples Problems.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Guide to Network Defense and Countermeasures Second Edition

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

January 23-26, 2007 Ft. Lauderdale, Florida An introduction to SIP Simon Millard Professional Services Manager Aculab.

1 Kommunikatsiooniteenuste arendus IRT0080 Loeng 5 Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.

Enabling SIP to the Enterprise Steve Johnson, Ingate Systems Security: How SIP Improves Telephony.

Voice over IP and IP telephony Network convergence – Telephone and IT – PoE (Power over Ethernet) Mobility and Roaming Telco – Switched -> Packet (IP)

The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger.

September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

SIP Security Matt Hsu.

TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.

Virtual Private Networks Shamod Lacoul CS265 What is a Virtual Private Network (VPN)? A Virtual Private Network is an extension of a private network.

Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

SIP Greg Nelson Duc Pham. SIP Introduction Application-layer (signaling) control protocol for initiating a session among users Application-layer (signaling)

Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.

IT Expo SECURITY Scott Beer Director, Product Support Ingate

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

Polycom Conference Firewall Solutions. 2 The use of Video Conferencing Is Rapidly Growing More and More people are adopting IP conferencing Audio and.

SIP Explained Gary Audin Delphi, Inc. Sponsored by

Ingate & Dialogic Technical Presentation SIP Trunking Focused.

SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion Steven Johnson President, Ingate Systems Inc.

Voice over Internet Services and Privacy. Agenda Problem Description Scope Recommendations.

Towards a Scalable and Secure VoIP Infrastructure Towards a Scalable and Secure VoIP Infrastructure Lab for Advanced Networking Systems Director: David.

32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

Secure Socket Layer (SSL)

ECE Prof. John A. Copeland fax Office: Klaus 3362.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.

Network Security David Lazăr.

IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.

ZRTP: Media Path Key Agreement for Unicast Secure RTP April 2011, RFC 6189 Author(s): P. Zimmermann, A. Johnston, J. Callas Speaker :Ted 1.

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

Securing Open Source Enterprise VoIP Christian Stredicke/snom.

1 Secure VoIP: call establishment and media protection Johan Bilien, Erik Eliasson, Joachim Orrblad, Jon-Olov Vatn Telecommunication Systems Laboratory.

Chapter 32 Internet Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

TCP/IP Protocol Suite 1 Chapter 30 Security Credit: most slides from Forouzan, TCP/IP protocol suit.

MWIF Confidential MWIF-Arch Security Task Force Task 5: Security for Signaling July 11, 2001 Baba, Shinichi Ready for MWIF Kansas.

Understand Internet Security LESSON Security Fundamentals.

Virtual Private Networks Ed Wagner CS Overview Introduction Types of VPNs Encrypting and Tunneling Pro/Cons the VPNs Conclusion.

Michael G. Williams, Jeremey Barrett 1 Intro to Mobi-D Host based mobility.

The Session Initiation Protocol - SIP

Analysis of SIP security Ashwini Sanap ( ) Deepti Agashe ( )

S Postgraduate Course in Radio Communications. Application Layer Mobility in WLAN Antti Keurulainen,

ORNL Site Report ESCC July 15, 2013 Susan Hicks David Wantland.

SOSIMPLE: A Serverless, Standards- based, P2P SIP Communication System David A. Bryan and Bruce B. Lowekamp College of William and Mary Cullen Jennings.

Presented By Hareesh Pattipati.  Introduction  Firewall Environments  Type of Firewalls  Future of Firewalls  Conclusion.

- Richard Bhuleskar “At the end of the day, the goals are simple: safety and security” – Jodi Rell.

1Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Protecting Service Infrastructure.

Firewalls, Network Address Translators(NATs), and H.323

Fortinet VoIP Security June 2007 Carl Windsor.

Secure Sockets Layer (SSL)

UNIT.4 IP Security.

Virtual Private Networks

The University of Adelaide, School of Computer Science

Unit 8 Network Security.

Advanced Computer Networks

Ingate & Dialogic Technical Presentation

Presentation transcript:

© 2006 Solegy LLC Internal Use Only Getting Connected with SIP Encryption _______________________________ By Eric Hernaez Solegy LLC May 16, 2007

© 2006 Solegy LLC Internal Use Only This Session will Cover: Why VoIP Calls are Being Blocked How VoIP Calls are Being Blocked Technical Approaches to Avoid SIP Blocking What You Can do to Leverage Development Efforts

© 2006 Solegy LLC Internal Use Only This Session is Not About: Authentication (Identity Verification) Privacy/Confidentiality Intrusion Protection Denial of Service Attacks SPIT

© 2006 Solegy LLC Internal Use Only What is VoIP Blocking? Denial of Service Degradation of Service Encourage Aura of Inconsistency Project Image of Poor Quality

© 2006 Solegy LLC Internal Use Only Why are VoIP Calls Being Blocked? Net Neutrality Avoiding Competition Differentiate Own Services Protecting Legacy Services Security Control Communications Protection from Unknown

© 2006 Solegy LLC Internal Use Only From Cingular Data Subscriber Agreement: Data Service sessions may only be conducted for the following purposes: (i) Internet browsing; (ii) ; and (iii) corporate intranet access (including access to corporate , customer relationship management, sales force automation, and field service automation applications). The Services cannot be used with server devices or host computer applications. Prohibited uses include, but are not limited to, telemetry applications, automated data feeds, continuous jpeg file transfers, Web camera posts or broadcasts, other machine-to-machine applications, and voice over IP.

© 2006 Solegy LLC Internal Use Only How are VoIP Calls Being Blocked? IP Address Blocking DNS Blocking Port Blocking Default SIP Port 5060 RTP Buffers Packet Inspection Commercial Solutions Available SIP-Aware ALG SIP Message Transfiguration Registration Hijacking Exploit VIA Header

© 2006 Solegy LLC Internal Use Only Reminder: Basic Topology Alice AtlantaBiloxi Bob INVITE OK RTP SIP and RTP follow different paths –SIP: Signaling path –RTP: Media path Media path is often faster (fewer hops) X X X

© 2006 Solegy LLC Internal Use Only SIP Is Easy To Detect SIP/SDP Headers are ASCII Text Layer IPSEC TLS or DTLS for SIP/SDP SRTP for Media ZRTP (ZPhone) for Media Application Layer S/MIME (treat SIP like )

© 2006 Solegy LLC Internal Use Only Using Encryption to Avoid SIP Blocking Considerations: Divergent Objectives Security by Obscurity? Ease of Implementation Ease of Use Who’s in the Ecosystem? ATA/Device Vendors Proxy Vendors Service Providers

© 2006 Solegy LLC Internal Use Only Common Approaches to Encryption: Transport Layer IPSEC TLS or DTLS for SIP/SDP SRTP for Media ZRTP (ZPhone) for Media Application Layer S/MIME (treat SIP like )

© 2006 Solegy LLC Internal Use Only IPSEC: ProCon Easy to ImplementPoint-to-Point Solution; does not Support Mobility Supported by Many ATA/Router Combos Usually Requires New CPE Widely Known and UnderstoodRequires Tunnel to Proxy Protects all Communication (not just SIP) Always Requires Media Proxy

© 2006 Solegy LLC Internal Use Only TLS/DTLS: ProCon Standard; TLS - RFC 2246 DTLS - draft-jennings-sip-dtls-03 Does not Protect Media; RTP Encryption Optional TLS uses TCP – looks like web traffic Requires PKI, Server Certificates Addresses Privacy and Authentication Issues Difficult to Implement Gaining Support from Solution Providers Easy to Use

© 2006 Solegy LLC Internal Use Only SRTP: ProCon Standard – RFC 3711Requires PKI, MIKEY or DTLS Gaining Adoption among Solution Providers Networks Can Block Access to PKI Does Not Require Media ProxyRequires Handshake; Can Increase Call Setup Time Does Not Address SIP/SDP Encryption

© 2006 Solegy LLC Internal Use Only ZRTP: ProCon SRTP without PKIDoes Not Address SIP/SDP Encryption Easy to Use SDKNot Widely Supported Zimmerman Pedigree Addresses Privacy and Authentication Issues Does Not Require Media Proxy

© 2006 Solegy LLC Internal Use Only Design Choices Handshake in signaling channel –MIKEY, Security Descriptions –Already written up and implemented –Problems with forking and media-before-SDP-answer Handshake in media channel –ZRTP, EKT, RTP/DTLS –Internet Drafts only –Work well with forking and media-before-SDP-answer

© 2006 Solegy LLC Internal Use Only Uncommon Approaches to Encryption: Security by Obscurity Why Skype Thrived Changing VoIP Signature Simple Ciphers Applied to SIP/SDP Only Applied to Media

© 2006 Solegy LLC Internal Use Only Simple Ciphers: ProCon Easy to ImplementRequires Support Through Ecosystem Easy to UseNot Difficult to Detect Can Apply to Signaling and MediaDoes not Address Privacy or Authentication

© 2006 Solegy LLC Internal Use Only Lessons from the Field: Control all you can – DNS, Proxy Always use non-standard ports DNS-SRV for IP Address flexibility Simple ciphers work best if you can get support from ecosystem Engineer flexibility into the solution Plan to proxy media

© 2006 Solegy LLC Internal Use Only Questions?