May 23, 2006 Columbia Verizon Research Security: SIP Application Layer Gateway Eilon Yardeni Columbia University Gaston Ormazabal Verizon Labs.

Slides:



Advertisements
Similar presentations
PHINMS: Application Integration
Advertisements

An Application Component Architecture for SIP Jonathan Rosenberg Chief Scientist.
Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.
Performance Testing - Kanwalpreet Singh.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 4 – Implementing Firewall Technologies.
What's inside a router? We have yet to consider the switching function of a router - the actual transfer of datagrams from a router's incoming links to.
William Stallings Data and Computer Communications 7 th Edition (Selected slides used for lectures at Bina Nusantara University) Internetworking.
© Verizon Copyright June 12, 2015 Columbia - Verizon Research Collaboration Secure SIP: Scalable DoS and ToS Prevention Mechanisms for SIP-based.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
VoIP Using SIP/RTP by George Fu, UCCS CS 522 Semester Project Fall 2004.
A Generic Event Notification System Using XML and SIP Knarig Arabshian and Henning Schulzrinne Department of Computer Science Columbia University
EE 4272Spring, 2003 EE4272: Computer Networks Instructor: Tricia Chigan Dept.: Elec. & Comp. Eng. Spring, 2003.
Internet E-911 System Henning Schulzrinne and Knarig Arabshian Department of Computer Science Columbia University
IRT Lab IP Telephony Columbia 1 Henning Schulzrinne Wenyu Jiang Sankaran Narayanan Xiaotao Wu Columbia University Department of Computer Science.
SIMPLEStone – A presence server performance benchmarking standard SIMPLEStone – A presence server performance benchmarking standard Presented by Vishal.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Presence Vishal Kumar Singh and Henning Schulzrinne Feb 10, 2006.
Secure Telephony Enabled Middle-box (STEM) Maggie Nguyen Dr. Mark Stamp SJSU - CS 265 Spring 2003 STEM is proposed as a solution to network vulnerabilities,
Design and Implementation of SIP-aware DDoS Attack Detection System.
SIP and NAT Dr. Jonathan Rosenberg Cisco Fellow. What is NAT? Network Address Translation (NAT) –Creates address binding between internal private and.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
Networking Components Chad Benedict – LTEC
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Network Security (Firewall) Instructor: Professor Morteza Anvari Student: Xiuxian Chen ID: Term: Spring 2001.
Securing Legacy Software SoBeNet User group meeting 25/06/2004.
VPN for Sales Nokia FireWall-1 Products Complete Integrated Solution including: –CheckPoint FireWall-1 enterprise security suite –Interfaces installed.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
How to construct world-class VoIP applications on next generation hardware David Duffett, Aculab.
1 Automated Fault diagnosis in VoIP 31st March,2006 Vishal Kumar Singh and Henning Schulzrinne.
Network Components: Assignment Three
1 GAIA VoIP traffic generator and analyzer Presentation by Amrut Bang Ashish Deshpande Vijay Gabale Santosh Patil Sponsored by GS Lab Pvt. Ltd Pune Institute.
What is FORENSICS? Why do we need Network Forensics?
Common Devices Used In Computer Networks
Protecting VoIP networks against denial of service and service theft Henning Schulzrinne with Gaston Ormazabal (Verizon) and IRT graduate students Dept.
Department of Electronic Engineering City University of Hong Kong EE3900 Computer Networks Introduction Slide 1 A Communications Model Source: generates.
Gaston Ormazabal Verizon Laboratories
University of Palestine Faculty of Applied Engineering and Urban Planning Software Engineering Department INTRODUCTION TO COMPUTER NETWORKS Dr. Abdelhamid.
A Conference Gateway Supporting Interoperability Between SIP and H.323 Jiann-Min Ho (Presenter) Jia-Cheng Hu Information Networking Institute Peter Steenkiste.
2004 APPA Community Broadband Conference Emerging Technologies: Voice Over IP October 11, 2004 Tim Hoolihan V.P. Marketing and Product Management (949)
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
TASHKENT UNIVERSITY OF INFORMATION TECHNOLOGIES Lesson №18 Telecommunication software design for analyzing and control packets on the networks by using.
Firewall Security.
An analysis of Skype protocol Presented by: Abdul Haleem.
William Stallings Data and Computer Communications
Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.
Voice over IP B 林與絜.
5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.
Network Components By Cameron Baker.
Louisiana Tech Capstone Submitted by Capstone 2010 Cyber Security Situational Awareness System.
OpenFlow MPLS and the Open Source Label Switched Router Department of Computer Science and Information Engineering, National Cheng Kung University, Tainan,
Renesas Electronics America Inc. © 2010 Renesas Electronics America Inc. All rights reserved. Overview of Ethernet Networking A Rev /31/2011.
1 Internet Telephony: Architecture and Protocols an IETF Perspective Authors:Henning Schulzrinne, Jonathan Rosenberg. Presenter: Sambhrama Mundkur.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
KYUNG-HWA KIM HENNING SCHULZRINNE 12/09/2008 INTERNET REAL-TIME LAB, COLUMBIA UNIVERSITY DYSWIS.
Kevin Harrison LTEC 4550 Assignment 3.  Ethernet Hub  An unsophisticated device that is used for connecting multiple Ethernet devices together.  Typically.
VIRTUAL NETWORK PIPELINE PROCESSOR Design and Implementation Department of Communication System Engineering Presented by: Mark Yufit Rami Siadous.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
1Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Protecting Service Infrastructure.
IP Telephony (VoIP).
Towards Junking the PBX: Deploying IP Telephony
Managing IP Traffic with ACLs
Introduction to Networking
© 2002, Cisco Systems, Inc. All rights reserved.
Henning Schulzrinne Gaston Ormazabal Eilon Yardeni Verizon Labs
Firewalls Jiang Long Spring 2002.
Introduction to Network Security
Ch 17 - Binding Protocol Addresses
Presentation transcript:

May 23, 2006 Columbia Verizon Research Security: SIP Application Layer Gateway Eilon Yardeni Columbia University Gaston Ormazabal Verizon Labs

2 May 23, 2006 Agenda Team Project Overview –Background  What is the Problem –Goals Technical Overview –Hardware Platform –Software Developed at Columbia –Integrated Testing and Analysis Tool –Large Scale Testing Environment Conclusions

3 May 23, 2006 Team Verizon Stu Elby, VP Architecture Jim Sylvester, VP Systems Integration and Testing –Gaston OrmazabalColumbia Prof. Henning Schulzrinne –Jonathan Lennox –Kundan Singh –Eilon Yardeni

4 May 23, 2006 Background Columbia likes to work in real life problems and analyze large data sets with the goal of improving generic architectures and testing methodologies Columbia has world-renowned expertise in SIP Verizon needs to solve a perimeter protection problem for security of VoIP Services –Protocol Aware Application Layer Gateway Verizon needs to build a high powered test tool to verify performance and scalability of these security solutions at carrier class rates –Security and Performance are a zero sum game

5 May 23, 2006 What is Dynamic Pinhole Filtering SIP calls are stateful RTP media ports are negotiated during signaling, assigned dynamically, and taken down SIP signaling is done over a static port:5060 –INVITE message contains an SDP message indicating the caller’s incoming media port (e.g., ) –Response 200OK has SDP with the callee’s incoming media port Each port creates a pinhole in firewall Pinholes are kept open only until a BYE message signals closing of both pinholes Firewall must keep a state table with all active pinholes to check if an arriving RTP packet can enter through an open pinhole, otherwise drop packet

6 May 23, 2006 SIP/ OK From: c=IN IP m=audio RTP/AVP 0 INVITE From: c=IN IP m=audio RTP/AVP 0 Example of Dynamic Pinhole Filtering CAM Table SIPUA User2 SIPUA User : :56432

7 May 23, 2006 Project Goals Program SIP based dynamic pinhole filtering in a parallel processing hardware platform Build an integrated testing and analysis tool that will validate functionality and performance of above device at carrier-class rates –Tool will provide automation of testing (script based) Apply testing tool to evaluate several Session Border Controllers on behalf of Verizon Perform comparative analysis of architectural models and develop architectural improvements Generalize testing methodology

8 May 23, 2006 Applicability to Columbia Hands on experience with SIP Application Layer Gateways –Experience some SIP security related challenges –Experiment with carrier class traffic and scale models Hands on experience with a state-of-the-art programmable packet processing hardware Enhance Columbia’s SIP Proxy with Firewall Control Proxy capabilities Formalize security benchmarking methodology for SIP ALGs

9 May 23, 2006 Applicability to Verizon Verizon needs this functionality to perform at high rates for use: –In the protection of highly valued network assets  Session Border Controllers for Packet Telephony –In the provision of security services to Enterprise customers for revenue  VADS (SIP Application Layer Gateway) Verizon needs to verify in the lab the performance and scalability of this technology prior to introduction in the network

10 May 23, 2006 CS-2000 Physical Architecture Deep Packet Processing Module (DPPM)  Executes Network Application Inspecting and Controlling Packet Data  Real-Time Silicon Database (128 bits wide X 512K long) and Unstructured Packet Processing  CAM technology  Single or Dual DPPM Configurations for HA, Performance or Multiple Use  Physical Connectivity: Gigabit Ethernet and OC-3/OC-12/OC-48 POS Application Server Module (ASM)  Hardened Linux Infrastructure  Hosts Analysis Applications  Network Element Management (Web, CLI, SNMP, ODBC)  Mandatory Access Control Auxiliary Slots Future use for  HDD Module  Telemetry Inputs/Outputs  Optical Bypass/HA Module

11 May 23, 2006 CloudShield Application Platform Applications written in RAVE and “pushed” to DPPM Dynamic Pinhole Implementation –RAVE based  Complex logic such as SIP call processing is difficult to implement in Regular Expressions (Regex)  Support only a “thin” SIP functionality –SIP Proxy controlling the DPPM (Midcom-like solution)  Introduce SIP Proxy - DDPM data exchange problem  Solved by using a Firewall Control Protocol Columbia developed a breakthrough solution that allowed to use SIP Proxy with performance equal to the “thin” SIP-RAVE –Maximized the use of RAVE –Use full SIP proxy functionality

12 May 23, 2006 CS-2000 System with Dual DPPMs 10/100/100010/100 E1E1 E2E2 Backplane F0F0 C3C3 C4C4 Gigabit Ethernet Interconnects D0D0 D1D1 E1E1 E2E2 F0F0 C3C3 C4C4 D0D0 D1D1 3 4 P0P0 P0P0 System Level Port Distribution Application Server Module Pentium 1GHz 1000 DPPM Intel IXP 2800 DPPM Intel IXP ASM

13 May 23, 2006 Columbia Developed Modules Software Modules Static Filtering –Filtering of pre-defined ports (e.g., SIP, ssh) Dynamic Filtering –Filtering of dynamically opened ports (e.g., RTP) Switching Layer –Perform switching between the input ports Firewall Control Module –Intercept SIP call setup messages –Get RTP ports from the SDP –Maintain call state Firewall Control Protocol –The way the Firewall Control Module talks with the CloudShield –Push dynamic table updates to the data plane –Could be used by multiple SIP Proxies that control one or more CloudShield firewalls Programmed in RAVE Executed in the DPPM Part of SIP-proxy Executed in the Linux Control plane

14 May 23, 2006 Columbia Modules Diagram Control Messages Proxy CPOS Inbound CAM Dynamic Table Outbound Static Table Drop LookupSwitch SIP FCP/UDP Firewall Control Module Linux server sipd

15 May 23, 2006 Integrated Testing and Analysis Tool Intelligent Integrated End Point Tool Components SIPUA Test Suite –Loader –Handler Scanning Probes –nmap Automated Script based Control Software Timing Devices Data Analysis Module –Analyze handler’s file for initial and teardown call delays, –Number of packets dropped before pinhole opening –Number of packets crossing after pinhole closing –Scan results for pinhole coverage Protocol Analyzer –SNORT Graphical Displays

16 May 23, 2006 Integrated Intelligent End Point SUT 4 IIEP Traffic Analyzer Media Port Scanning/Probing Traffic Traffic Passed through Pinholes TrustedUntrusted Control and Analysis Signaling and Media Generation SIPUA Handler SIPUA Loader Signaling and Media Generation Port Scanning Probes Timing Synchronization SNORT IIEP Traffic Generator

17 May 23, 2006 SIPUA Methodology Loader/Handler –Establishes calls using SIP –Sends 160 byte RTP packets every 20ms  Settable to shorter interval if needed for granularity –Starts RTP sequence numbers from zero –Dumps call number, sequence number, current timestamp and port numbers to a file

18 May 23, 2006 SIPUA Traffic Generator SIP Proxy SIPUA Loader SIPUA Handler accept call=1 accept call=2 accept call=3 accept call=4 SIP Proxy invite

19 May 23, 2006 Large Scale Integrated Testing and Analysis Environment Pair of Intelligent Integrated End Points –Generate traffic for detailed analysis External Traffic Generator –Supplies external stress on SUT –SIPUA in Array Form supplies traffic from an array of 6 computer pairs Controller –Automated Script based Control Software –Connects to the External Traffic Generation and the IIEP over ssh –Invokes traffic generation –Gathers, analyzes and correlates results –Analyzes handler/loader’s files for initial and teardown call delays –Matches port scanning results with handler’s file

20 May 23, 2006 Testbed Architecture GigE Switch Loader IIEP SIP Proxy Handler IIEP External Loaders (SIPUA) External Handlers (SIPUA) Controller

21 May 23, 2006 Problem Definition Problem parameterized along two independent vectors –Call Rate (calls/sec)  Related to performance of SIP Proxy in Pentium –Concurrent Calls  Related to performance of table lookup in IXP 2800

22 May 23, 2006 Testing And Analysis Methodology Generate external load on the firewall –SIPUA Loader/Handler in external load mode –Generates thousands of concurrent RTP sessions –For 30K concurrent calls have 120K open pinholes –CAM table length is 120K entries  Search algorithm finds match in one cycle When external load is established, run the IIEP analysis –SIPUA Loader/Handler in internal load mode –Port scanning and Protocol analyzer –Increment calls/sec rate Measure pinhole opening and closing delays –Opening delay data provided in units of 20 ms packets –Closing delay data provided in units of 10 ms packets Detect pinholes extraneously open

23 May 23, 2006 Data Results

24 May 23, 2006 Data Results (2)

25 May 23, 2006 Benefits to Verizon and Columbia Technology Transfer to Verizon Labs –Set up a replica of Columbia testbed in Silver Spring VoIP lab for rapid SBC evaluation Licensing Agreement with CloudShield –Currently negotiating a Royalty Agreement to take technology to market Intellectual Property –Patents and Publications

26 May 23, 2006 Technology Transfer Silver Spring VoIP Lab testbed –Have 12 computer in parallel running SIPUA, SNORT, nmap, protocol analyzers –Set up Controller software –Interoperability testing with local SIP proxy (Broadsoft) –SIPUA can be used for other SIP performance testing with modifications

27 May 23, 2006 Intellectual Property Pending Patent Applications –“Fine Granularity Scalability and Performance of SIP Aware Border Gateways: Methodology and Architecture for Measurements”  Inventors: Henning Schulzrinne, Kundan Singh, Eilon Yardeni (Columbia), Gaston Ormazabal (Verizon) –“Architectural Design of a High Performance SIP-aware Application Layer Gateway”  Inventors: Henning Schulzrinne, Jonathan Lennox, Eilon Yardeni (Columbia), Gaston Ormazabal (Verizon) Paper submitted to MASCOTS 2006 – “Large Scale SIP-aware Application Layer Firewall”.  Authors: Henning Schulzrinne, Eilon Yardeni (Columbia), Gaston Ormazabal (Verizon)

28 May 23, 2006 Conclusions Have implemented for the first time a SIP ALG that scales up to 30K concurrent calls with 300 calls/sec –This performance should satisfy Verizon “carrier-class” requirements at a reasonable cost Have proved hypothesis that cpu exhaustion will limit scalability because of degradation in performance Have constructed a SIP Proxy based model that will permit modularization, –Hence increasing scalability of future architectures Have built a one of a kind high-powered “black box” testing environment –Will permit Verizon verify this technology for other vendors

May 23, 2006 Back up slides

30 May 23, 2006 Verizon Future Security Architecture Call Server Network Unsecure signaling protocol ACL-secured signaling protocol Media traffic H.248 MPCP H.248 SIP Shielded CallP VLAN Verizon Packet Telephony Access/Aggregation Network MG9K PVG CPE/Enterprise Network NGSS PP8600 Pkt Filtering Media Proxy Media Proxy GWC CISCO 6509 MS20x0 CPE/Enterprise Network Public Internet Juniper M40

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.