Fraunhofer FOKUS 2007 VoIP Defender The Future of VoIP Protection Fraunhofer FOKUS Institute, Germany.

Slides:

Advertisements

Similar presentations

Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.

Advertisements

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

IUT– Network Security Course 1 Network Security Firewalls.

Camarillo / Schulzrinne / Kantola November 26th, 2001 SIP over SCTP performance analysis

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Firewalls and Intrusion Detection Systems

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )

Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Demonstrating HTTP Session Hijacking through ARP Cache Poisoning and Man-in-the-Middle Attack and exploring HTTPS and VOIP session vulnerabilities Mainuddin.

Secure Telephony Enabled Middle-box (STEM) Maggie Nguyen Dr. Mark Stamp SJSU - CS 265 Spring 2003 STEM is proposed as a solution to network vulnerabilities,

COMPUTER NETWORKS.

(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

FIREWALL Mạng máy tính nâng cao-V1.

DoS, Fraud and More Dr. Dorgham Sisalem Director Strategic Architecture.

Chapter 6: Packet Filtering

Computer Networks.  The OSI model is a framework containing seven layers that defines the protocols and devices used at each stage of the process when.

Institute of Computer and Communication Network Engineering OFC/NFOEC, 6-10 March 2011, Los Angeles, CA Lessons Learned From Implementing a Path Computation.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Common Devices Used In Computer Networks

Submitted by: Shailendra Kumar Sharma 06EYTCS049.

VoIP Security Assessment: Methods and Tools H. Abdelnur, V. Cridlig, R. State and O. Festor Madynes, LORIA-INRIA.

Examining TCP/IP.

High Performance Computing & Communication Research Laboratory 12/11/1997 [1] Hyok Kim Performance Analysis of TCP/IP Data.

Web Application Firewall (WAF) RSA ® Conference 2013.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

802.11n Sniffer Design Overview Vladislav Mordohovich Igor Shtarev Luba Brouk.

1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.

Design and implementation of SIP-aware DDoS attack detection system By: Arif Iqbal.

Presented by Rebecca Meinhold But How Does the Internet Work?

Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.

Routing and Routing Protocols

Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.

1 Microsoft Windows 2000 Network Infrastructure Administration Chapter 4 Monitoring Network Activity.

Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:

DoS/DDoS attack and defense

Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.

Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.

Lec # 25 Computer Network Muhammad Waseem Iqbal. Learn about the Internetworking Devices – Repeaters – Hubs – Switches – Bridges – Routers.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.

1 Protecting SIP Against DoS An Architectural Approach.

1Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Protecting Service Infrastructure.

Link Layer 5.1 Introduction and services

Prepared By : Pina Chhatrala

Securing the Network Perimeter with ISA 2004

MAC Addresses and ARP 32-bit IP address:

Introduction to Networking

* Essential Network Security Book Slides.

Authors: Helen J. Wang, Chuanxiong Guo, Daniel R

POOJA Programmer, CSE Department

دیواره ی آتش.

Internet Protocols IP: Internet Protocol

09 | Configuring Lync Online

Session 20 INST 346 Technologies, Infrastructure and Architecture

Presentation transcript:

Fraunhofer FOKUS 2007 VoIP Defender The Future of VoIP Protection Fraunhofer FOKUS Institute, Germany

Fraunhofer FOKUS 2007 VoIP-Defender – Why ? Steadily increasing number of Customers makes VoIP a first class target for attackers. Aimed at The Service itself (E.g. DDos, Spoofing) The Customer (SPIT, Fraud, Call-Hijacking) The Service Provider (E.g. SQL-Injection) Already observed REGISTER / INVITE flooding Multi-Source flooding Unresolvable DNS Names Unintentional misbehavior / misconfiguration (Not an attack) What will we see tomorrow ???

Fraunhofer FOKUS 2007 VoIP-Defender – What is it ? VoIP-Defender is a Framework for Detection Algorithms. Highly Scalable Cope with high bandwidth attacks, especially DoS. Multiple scalability levels plus parallel processing. Invisible placing Attackers cannot see the presence of the VoIP-Defender. Autonomously working No support from proxy needed, thus proxy agnostic. Traffic pass-through by default. Intelligent monitoring and defence Especially designed for SIP networks Includes SIP/IMS parser, SIP state machine, SIP properties See actual ongoing SIP network traffic Monitoring and defence algorithms dynamically en- / disabled Already multiple monitoring and detection algorithms User Control Interface – Terminal, GUI

Fraunhofer FOKUS 2007 VoIP-Defender – Where Is It ? VoIP-Defender is placed between the Service provisioning Platform and the Customers. Classical Firewall Position. Multi-Link Monitoring & Protection possible. Legal Users Attacker VoIP-DefenderServices

Fraunhofer FOKUS 2007 Algorithmic knowledge VoIP-Defender – Architecture Overview Transport Level Load Balancers (TLLB) Filter/Scanner Nodes (FSN) Analyzers (Algorithms parallel Part) Deciders (Algorithms sequential Part) FSN TLLB Alg1Alg2 Analyzer 1 Alg1Alg2 Analyzer 2 Alg1Alg2 Decider plane Rules Traffic Reconstructed Messages Internet Service

Fraunhofer FOKUS 2007 VoIP-Defender – Architecture Transport Level Load Balancing MAC Layer Transparent Simple Load balancing by Information from up to the Transport Layer. Incoming packets from the same source IP address are sent out via the same Port (mapping). Outgoing packets to unassociated IP addresses also create a mapping. Clients Mappings Ports FSN1 FSN2 FSN3 TLLB Internet Side TLLB Incoming Outgoing

Fraunhofer FOKUS 2007 VoIP-Defender – Architecture Transport Level Load Balancing Outgoing packets to the same source IP address are sent out via the same Port (mapping). Incoming packets from unassociated IP addresses also create a mapping. Service Mappings Ports FSN1 FSN2 FSN3 TLLB Service Side TLLB Incoming Outgoing

Fraunhofer FOKUS 2007 VoIP-Defender – Architecture Filter & Scanner Node IP defrag UDPTCP SIP extractor Rule Processing Frame Cache Frames Verdict Analyzer selection User Space Kernel Space Bridge User Space Message Inspection Filter Rule Control Analyzer Incoming Outgoing Decider SIP + Meta

Fraunhofer FOKUS 2007 VoIP-Defender – Architecture Filter & Scanner Node A UDP Packet arrives IP defrag UDPTCP SIP extractor Rule Processing Frame Cache Analyzer selection User Space Kernel Space Bridge User Space Message Inspection Filter Rule Control Analyzer Incoming Decider SIP + Meta

Fraunhofer FOKUS 2007 VoIP-Defender – Architecture Filter & Scanner Node The Frame is forked. One copy for the Frame Cache, another one for Analysis IP defrag UDPTCP SIP extractor Rule Processing Frame Cache Frames Analyzer selection User Space Kernel Space Bridge User Space Message Inspection Filter Rule Control AnalyzerDecider SIP + Meta

Fraunhofer FOKUS 2007 VoIP-Defender – Architecture Filter & Scanner Node The Packet is inspected for completeness in terms of IP, UDP and SIP IP defrag UDPTCP SIP extractor Rule Processing Frame Cache Analyzer selection User Space Kernel Space Bridge User Space Message Inspection Filter Rule Control AnalyzerDecider SIP + Meta

Fraunhofer FOKUS 2007 VoIP-Defender – Architecture Filter & Scanner Node Potentially many packets be necessary to assemble to a complete SIP message. This one is incomplete. IP defrag UDPTCP SIP extractor Rule Processing Frame Cache Analyzer selection User Space Kernel Space Bridge User Space Message Inspection Filter Rule Control AnalyzerDecider SIP + Meta

Fraunhofer FOKUS 2007 VoIP-Defender – Architecture Filter & Scanner Node The rest of the SIP message arrives IP defrag UDPTCP SIP extractor Rule Processing Frame Cache Analyzer selection User Space Kernel Space Bridge User Space Message Inspection Filter Rule Control Analyzer Incoming Decider SIP + Meta

Fraunhofer FOKUS 2007 VoIP-Defender – Architecture Filter & Scanner Node Also duplicated, one for the Intelligence, one for the Frame Cache IP defrag UDPTCP SIP extractor Rule Processing Frame Cache Analyzer selection User Space Kernel Space Bridge User Space Message Inspection Filter Rule Control AnalyzerDecider SIP + Meta Frames

Fraunhofer FOKUS 2007 VoIP-Defender – Architecture Filter & Scanner Node Again checked for completeness. IP defrag UDPTCP SIP extractor Rule Processing Frame Cache Analyzer selection User Space Kernel Space Bridge User Space Message Inspection Filter Rule Control AnalyzerDecider SIP + Meta

Fraunhofer FOKUS 2007 VoIP-Defender – Architecture Filter & Scanner Node As soon as the SIP message is complete, 1.An Analyzer is selected by determining a session ID, and the SIP message is sent to it along with meta information about the involved transport. 2.The SIP message is examined by the currently active rule set. IP defrag UDPTCP SIP extractor Rule Processing Frame Cache Analyzer selection User Space Kernel Space Bridge User Space Message Inspection Filter Rule Control AnalyzerDecider SIP + Meta

Fraunhofer FOKUS 2007 VoIP-Defender – Architecture Filter & Scanner Node Here, the message has been found to be OK, so all its Frames (2) are allowed to be sent out. IP defrag UDPTCP SIP extractor Rule Processing Frame Cache OK Verdict: OK Analyzer selection User Space Kernel Space Bridge User Space Message Inspection Filter Rule Control AnalyzerDecider SIP + Meta

Fraunhofer FOKUS 2007 VoIP-Defender – Architecture Rules Rules are based on any Protocol Information. Regular Expressions enable filtering by Content. Scripting Rules allow even more complex Operations (Requires User Space Filtering Support on the FSNs) OK: The frames are sent out in the correct order DROP: UDP: Frames are simply dropped. TCP: Connection is interrupted by injecting RST frames.

Fraunhofer FOKUS 2007 VoIP-Defender – Architecture Analyzer & Decider Detection Algorithms are split into a scalable part and an non-scalable part. The scalable part is realized in the Analyzers. The non-scalable part is realized in the Decider. Example: INVITE flooding from single source. Parsing INVITE ? Extract SRC increase counter for this SRC Trigger Alarm Parsing INVITE ? Extract SRC increase counter for this SRC Trigger Alarm increase counter for this SRC Trigger Alarm Parsing INVITE ? Extract SRC Parsing INVITE ? Extract SRC Analyzer Decider

Fraunhofer FOKUS 2007 VoIP-Defender – Architecture Analyzer Analyzers implement the scalable part of detection Algorithms in VoIP-Defender. It is granted, that every SIP message, that belongs to the same session is processed by the same Analyzer. APIs for algorithm programmers, offering Effective SIP parsing Access to Transport Information Protocol Fragments Transmission time and duration SRC/DST IP-Address Port Numbers Network Communication with the Decider

Fraunhofer FOKUS 2007 VoIP-Defender – Architecture Analyzer Report Server (listens for incoming messages & reports from FSNs) SIP Parser (pre-parses incoming SIP messages ) Parsed SIP Msg Algorithm Dispatcher (Calls each analyzer in order with the current parsed SIP message) Incoming Msg Buffer Result Client (send individual result information to decider layer) stores access Results / Status State Analyzer Component (Algorithm 1) Meta Data provides Decider connection Control Interface (GUI interaction) State Analyzer Component (Algorithm 2) State Analyzer Component (Algorithm 3) GUI connection FSN connections

Fraunhofer FOKUS 2007 VoIP-Defender – Architecture Decider The Decider implements the non-scalable (common knowledge) part of detection Algorithms in VoIP-Defender. It receives algorithm specific reports from the Analyzers and dispatches them to the specific Decider Modules. APIs for algorithm programmers, offering Rule Management Inter-Algorithm Communication Network Communication with Analyzers and FSNs

Fraunhofer FOKUS 2007 VoIP-Defender – Architecture Decider Result Server (listens for incoming result reports from analyzer layer) Event Manager (dispatches events send to and by algorithms) Rule Control (send control commands to FSN) Incoming result State Decider Component (Algorithm 1) Create rules FSN connections Timers Rule Cache (keeps current rules locally) State Decider Component (Algorithm 2) State Decider Component (Algorithm 3) State Decider Component (Algorithm 4) Control Interface Results Analyzer connections

Fraunhofer FOKUS 2007 VoIP-Defender – Next Steps Develop and implement more detection Algorithms. Real-World Deployment at a professional VoIP Provider. Architectural Refinements. Dedicated IMS Support.

Fraunhofer FOKUS 2007 VoIP-Defender Thanks – Questions ?