Presentation is loading. Please wait.

Presentation is loading. Please wait.

1Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Protecting Service Infrastructure.

Published byAdelia Whitehead Modified over 8 years ago

Similar presentations

Presentation on theme: "1Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Protecting Service Infrastructure."— Presentation transcript:

1 1Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Protecting Service Infrastructure Against Dos Attacks Dave Gladwin dave.gladwin@newport-networks.com

2 2 Agenda What is a DoS attack? What is under attack? How are networks interconnected? What steps can be taken? How can we protect the interconnections? How can we protect the Clients?

3 3 What is an attack? Phreakers and hackers From phones to computers and back again Stealing services Disrupting services Attacks can be classed as Logic Attacks or Flood Attacks Logic attacks exploit vulnerabilities in protocols or their implementations E.g. Ping of death, Teardrop, Land etc. Flood attacks disable targets through traffic volume A flood attack can originate from a single platform - Denial of Service (DoS) attack Or from multiple platforms - Distributed Denial of Service (DDoS) attack

4 4 DoS and DDoS Attacking Machine Target Machine Attack Control Machine Target Machine Zombies DoSDDoS

5 5 What are the Targets? Targets: SIP servers SIP proxies SIP clients Launch pads: SIP servers SIP proxies SIP clients The SIP environment is subject to existing DoS attacks …and newer SIP specific attacks

6 6 PSTN Networks International Switch International Switch International Switch Local Switch PSTN SS7 between Carriers International Switch is demarcation point between carriers

7 7 Hybrid Networks #1 Local Switch PSTN Access IP Core Media Gateway Media Gateway Media Gateway PSTN Media Gateway converts PSTN call to IP Media Gateway converts IP call back to PSTN for breakout IP core introduced typically to reduce transport costs

8 8 Hybrid Networks #2 Peering Networks interconnected using Media Gateways Media Gateways create demarcation for security and accounting Limited to voice calls only

9 9 IP Interconnect Peer Networks interconnected using Session Controllers Session Controllers create demarcation for security and accounting Voice or Multimedia calls

10 10 Peer-to-Peer characteristics Web browsing is essentially anonymous Multimedia peer-to-peer is not A SIP client has a public presence SIP Registration means public visibility of client Public visibility means potential targets Clients and Servers can become targets or launch pads SIP Signalling attacks – partly logic, partly flood Media attacks – pure floods

11 11 IP Telephony Security Like any security system - Multiple levels are needed Some safeguards are built into the Protocol End-to-end encryption (client based) Encrypts message body and some header fields Does not hide TO and VIA fields Hop-by-hop encryption of via fields (SIP server based) Hide Hop or Hide Route Network partitioning Use of session controllers to provide demarcation Access control Use of session controllers to police resource utilization

12 12 Networks partitioning Protect the core network edges – Peer and access Prevention and cure – hide, limit and block Hide Network topology Remove ALL internal network information from IP and SIP messages Proxy offers higher levels of security and privacy for users Only the Proxy address is seen Helps prevent clients being used as launch pads Inserts dedicated device in the path Block unsolicited media - Wire speed packet dropping: - Conventional DoS attacks at IP level - RTP/SIP INVITE attacks Limit bandwidth consumption - Media throttling Signalling integrity checks

13 13 Network Topology hiding 1 st VIA 2 nd VIA SIP Client IP address A As SIP message traverses the network it may have VIAs added When packet arrives at Peer Network, the Source Address and VIAs provide a roadmap Don’t make it easy – Hide all this detail Core IP Network To Peer Network X Y SIP message Source: A VIA1: X VIA2: Y

14 14 Networks Topology hiding 1 st VIA 2 nd VIA SIP Client IP address A Session Controller B Session Controller proxies source address of message Both IP and SIP parts of message are updated All VIA information removed Core IP Network To Peer Network SIP message Source: B No VIAs

15 15 Benefits Network advertises SIP Call Agent address as Peer Session Controller to external networks Any call entering or leaving the network appears to come from the address of the Session Controller All internal network details are hidden Signalling and Media paths are tied together at this point which means… Media Bandwidth can be policed Unsolicited Media can be dropped

16 16 Media policing SIP Client IP address A B Core IP Network Signalling indicates Bandwidth Session Controller Polices actual bandwidth Media Exceeds Bandwidth Protects Network Peering points Prevents excessive media in Core Network Protects Clients

17 17 Blocking of Unsolicited Media SIP Client IP address A B Core IP Network No Media path opened by signalling Session Controller Unsolicited Media received Session Controller only opens ports for specific source/destination IP address/port pairs Non-matching media is dropped at wire speed Protects Core and Clients

18 18 User Security and Privacy Access Network Core Network SIP Client A Call Agent SIP Client Registers address A Address is now a ‘public’ address Unsolicited media can be directed at this address Difficult for the Service Provider to police Unsolicited Media

19 19 User Security and Privacy Access Network Core Network SIP Client A Call Agent SIP Client Registers – message is routed via the Session Controller Session Controller modifies source address to one of its own ‘B’ Address ‘B’ is now the ‘public’ address for Client A Unsolicited media directed at this address is dropped at wire speed Simple for the Service Provider to police Session Controller B Unsolicited Media

20 20 Example Media Attack Example: Attacker learns Client A’s registered address Attacker sends INVITE to SIP Media Server Spoofing target's address Client A and Access Network saturated with Media packets Access Network Core Network SIP Client A SIP Media Server Attacker sends INVITE to Media Server, Source address: Client A Media Server streams Media to Client A

21 21 Media Attack Limited Example: Attacker learns Client A’s registered address (Proxy) Attacker sends INVITE to SIP Media Server spoofing target's proxied address Session Controller does not have a valid media path set up for Client A All unsolicited media is dropped - Access Network and Client protected Access Network Core Network SIP Client A SIP Media Server Attacker sends INVITE to Media Server, Source address: Proxy address of Client A Media Server streams Media to Proxy Session Controller

22 22 Partitioned Network Peering points connected via Session Controllers Provides media protection, accounting, and topology hiding Corporate networks accessed via Session Controllers Clients and Access Networks protected from unsolicited and excessive media

23 23 Other activities STEM - Secure Telephony Enabled Middlebox Proposal for a Middlebox solution aimed at improving security of Enterprise telephony services ICE - Interactive Connectivity Establishment Proposal for a client based connectivity solution Makes use of STUN (Simple Traversal of UDP through NAT) Connectivity is confirmed before media is sent

24 24 Summary DoS needs targets Implement ‘Hiding’ and encryption wherever possible Reveal as little as possible Hide entire network at the Peering point Don’t advertise internal network addresses Hide real clients in the access side Don’t advertise real client addresses Partition the Network with Session Controllers Block unsolicited Media Police actual media bandwidth Limits the scope of any attack

25 25Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Thank You Dave Gladwin dave.gladwin@newport-networks.com

Download ppt "1Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Protecting Service Infrastructure."

Similar presentations

SIP, Firewalls and NATs Oh My!. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.
Addressing Security Issues IT Expo East 2011. Addressing Security Issues Unified Communications SIP Communications in a UC Environment.

Addressing Security Issues IT Expo East Addressing Security Issues Unified Communications SIP Communications in a UC Environment.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Voice over IP Fundamentals

Voice over IP Fundamentals
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
The study and demonstration on SIP security vulnerabilities Mahidhar Penigi Vamsi Krishna Karnati.

The study and demonstration on SIP security vulnerabilities Mahidhar Penigi Vamsi Krishna Karnati.
January 23-26, 2007 Ft. Lauderdale, Florida An introduction to SIP Simon Millard Professional Services Manager Aculab.

January 23-26, 2007 Ft. Lauderdale, Florida An introduction to SIP Simon Millard Professional Services Manager Aculab.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Securing Unified Communications Mor Hezi VP Unified Communications AudioCodes.

Securing Unified Communications Mor Hezi VP Unified Communications AudioCodes.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
 3G is the third generation of tele standards and technology for mobile networking, superseding 2.5G. It is based on the International Telecommunication.

 3G is the third generation of tele standards and technology for mobile networking, superseding 2.5G. It is based on the International Telecommunication.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Secure Telephony Enabled Middle-box (STEM) Maggie Nguyen Dr. Mark Stamp SJSU - CS 265 Spring 2003 STEM is proposed as a solution to network vulnerabilities,

Secure Telephony Enabled Middle-box (STEM) Maggie Nguyen Dr. Mark Stamp SJSU - CS 265 Spring 2003 STEM is proposed as a solution to network vulnerabilities,
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks
SIP Greg Nelson Duc Pham. SIP Introduction Application-layer (signaling) control protocol for initiating a session among users Application-layer (signaling)

SIP Greg Nelson Duc Pham. SIP Introduction Application-layer (signaling) control protocol for initiating a session among users Application-layer (signaling)
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

Similar presentations

Ads by Google