Presentation is loading. Please wait.

Presentation is loading. Please wait.

SIP Security & the Future of VoIP Nate Klingenstein APAN 26 Queenstown August 5, 2008 ~ndk/apanSIP.pdf.

Published byKiana Telling Modified over 9 years ago

Similar presentations

Presentation on theme: "SIP Security & the Future of VoIP Nate Klingenstein APAN 26 Queenstown August 5, 2008 ~ndk/apanSIP.pdf."— Presentation transcript:

1 SIP Security & the Future of VoIP Nate Klingenstein APAN 26 Queenstown August 5, 2008 http://people.internet2.eduhttp://people.internet2.edu/ ~ndk/apanSIP.pdf

2 Securing SIP The threats The existing protocol’s problems Attempted solutions Skype for comparison Next steps

3 The Threat Model A lot like any other network application’s problems Denial-of-Service (DoS) attacks Eavesdropping / Man in the Middle Spoofing, replay, spam (SPIT) Poor authentication, authorization Demonstrated attacks

4 Are these threats hypothetical? Security must always be pragmatic and proportional http://www.loria.fr/~nassar/readme.html http://www.voipsa.org/Resources/tools. php http://www.voipsa.org/Resources/tools. php Human faces and voice recognition do provide limited authentication & protection

5 Enterprise Middleware Many universities and companies manage information about their members Directories, databases Applications use these data for better security, auditing, user services Large benefits for enterprise webapps

6 Specific Problems Authentication: HTTP digest, basic Realm-specific Traffic unencrypted Trust between realms and proxies poor Disconnected from identity management infrastructure

7 Possible Solutions Look a lot like the solutions for other old protocols: Hack security into an old protocol Firewall everything Accept that SIP is too difficult to secure

8 Security Attempts Many tries with varying success New RFC’s, internet-drafts Integration with RADIUS, TLS authentication Integration with directories Improved deployment practices

9 SURA/ViDe 4th Annual Workshop Inter-Realm SIP Bob on a desktop With a SIP VC-UA SIP Proxy Alice on a desktop With a SIP VC-UA INVITE Invite from Bob 180 Ringing 200 OK SIP Proxy If Bob is valid, Forward INVITE Can I trust you? Sure, I belong to the same club 180 Ringing Realm CGU.EDURealm: Microsoft.com

10 SAML + SIP Attempt to fix three major problems Authentication methods Realm trust Connection to infrastructure internet-drafts were written to make a SAML MIME on the invite, but failed

11 Firewall Everything Private networks VPN IDS/IPS TLS/IPSec Dedicated hardware devices STUN & TURN

12 Issues with Firewall Everything Cross-realm trust not addressed Possibly multiple interfaces and/or devices with private network One more step towards Internet quarantine...

13 Securing SIP A combination of approaches is necessary Network-level protection Federated trust Middleware integration Phones and other hardware make modification more difficult

14 14 Use of IPS between VoIP network and data IP network. Use of IDS between VoIP network and data IP network. Use NAC (network access control) such as 802.1X and RADIUS to authenticate hard phones. Softphones require the use of the separate VoIP network (physical LAN, VLAN, subnet address, etc.) from the data IP network. Softphones are allowed with IPSEC transport mode. Softphones are allowed with IPSEC VPNs. Use NAC (network access control) such as 802.1X and RADIUS to authenticate hard phones. Allow NAT traversal via STUN or TURN Internet proxies. Provide separate dedicated bandwidth for VoIP traffic to the Internet. VoIP Higher Ed Security Survey Which VoIP Security mechanisms do[n’t] you use?

15 15 VoIP Higher Ed Security Survey

16 The Skype Model Proprietary, decentralized protocol RC4 encryption Firewall and NAT detection, agility Central login server, hashed SIP used by SkypeOut/SkypeIn with PSTN interconnections; gateways to SIP phones

17 Can SIP Learn from Skype? TLS/IPSec offer good encryption Authentication over TLS (digest/PKI/SAML) is good Bandwidth, centralization not big problems The world has no central login server Cross-domain trust not solved

18 Conclusions SIP needs a lot of attention to be secure Existing ideas can address some shortcomings Some efforts stopped No central work combining all efforts Some attacks don’t have cost- effective solutions

19 Questions? http://www.internet2.edu/sip.edu/ ndk@internet2.edu

Download ppt "SIP Security & the Future of VoIP Nate Klingenstein APAN 26 Queenstown August 5, 2008 ~ndk/apanSIP.pdf."

Similar presentations

Presence, Security and Privacy. www.dynamicsoft.com VON 3.20. 01 The Current Environment Many Faces of Security Authentication Verify someone is who they.

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.
www.dynamicsoft.com U N L E A S H I N G A S E R V I C E S R E N A I S S A N C E SIP 2000-05-10-00 SIP Security Jonathan Rosenberg Chief Scientist.

U N L E A S H I N G A S E R V I C E S R E N A I S S A N C E SIP SIP Security Jonathan Rosenberg Chief Scientist.
SURA/ViDe 4th Annual Workshop SIP, Security & Threat Models Dr. Samir Chatterjee School of Information Science Claremont Graduate University Claremont,

SURA/ViDe 4th Annual Workshop SIP, Security & Threat Models Dr. Samir Chatterjee School of Information Science Claremont Graduate University Claremont,
Network Systems Sales LLC

Network Systems Sales LLC
Addressing Security Issues IT Expo East 2011. Addressing Security Issues Unified Communications SIP Communications in a UC Environment.

Addressing Security Issues IT Expo East Addressing Security Issues Unified Communications SIP Communications in a UC Environment.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom - version 1.0 Voice over IP (VoIP)

Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom - version 1.0 Voice over IP (VoIP)
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
The study and demonstration on SIP security vulnerabilities Mahidhar Penigi Vamsi Krishna Karnati.

The study and demonstration on SIP security vulnerabilities Mahidhar Penigi Vamsi Krishna Karnati.
VPN: Virtual Private Network Presented by: Germaine Bacon Lizzi Beduya Betty Huang Jun Mitsuoka Juliet Polintan.

VPN: Virtual Private Network Presented by: Germaine Bacon Lizzi Beduya Betty Huang Jun Mitsuoka Juliet Polintan.
1 Kommunikatsiooniteenuste arendus IRT0080 Loeng 5 Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.

1 Kommunikatsiooniteenuste arendus IRT0080 Loeng 5 Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Enabling SIP to the Enterprise Steve Johnson, Ingate Systems Security: How SIP Improves Telephony.

Enabling SIP to the Enterprise Steve Johnson, Ingate Systems Security: How SIP Improves Telephony.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Universit à di Roma “ Tor Vergata ” Luca Veltri, and.

SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Universit à di Roma “ Tor Vergata ” Luca Veltri, and.
Voice over IP and IP telephony Network convergence – Telephone and IT – PoE (Power over Ethernet) Mobility and Roaming Telco – Switched -> Packet (IP)

Voice over IP and IP telephony Network convergence – Telephone and IT – PoE (Power over Ethernet) Mobility and Roaming Telco – Switched -> Packet (IP)
H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.

H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 

Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 

Similar presentations

Ads by Google