Presentation is loading. Please wait.

Presentation is loading. Please wait.

Towards a Scalable and Secure VoIP Infrastructure Towards a Scalable and Secure VoIP Infrastructure Lab for Advanced Networking Systems Director: David.

Published byAlan Potter Modified over 9 years ago

Similar presentations

Presentation on theme: "Towards a Scalable and Secure VoIP Infrastructure Towards a Scalable and Secure VoIP Infrastructure Lab for Advanced Networking Systems Director: David."— Presentation transcript:

1 Towards a Scalable and Secure VoIP Infrastructure Towards a Scalable and Secure VoIP Infrastructure Lab for Advanced Networking Systems Director: David K. Y. Yau DNS server Proxy / redirect server VoIP phone POTS Media gateway IP network Legacy phone Mobile VoIP phone SIP signaling / TLS / TCP User registration Media: RTP/RTCP/UDP SIP flood and spoofing / theft-of- service / authentication attack Media eavesdropping, UDP / RTP flood, encryption attack, faked ToS (theft-of-service) Device Threats Virus, misconfiguration, compromise (phone) TLS flood, authentication / encryption (proxy) RTP port starvation (media gateway) Wireless attack, jamming, RTS / CTS attack 2. VoIP Network Architecture INVITE sip:john.lui@cuhk.edu.hk 180 Ringing BYE 200 OK INVITE sip:john.lui@cuhk.edu.hk 180 Ringing ACK Media Stream 200 OK 3. SIP: Security Issues SIP requires: Proxy server, Redirection Server, Firewall …etc These servers can be subjected to (1) DDoS attack (2) Low-Rate TCP attack (3) Jamming attack If not handled carefully, VoIP won’t fly. Server To S Aggressive flow Throttle for S’ To S’ Throttle for S Securely installed by S Deployment router Server 18.23 6.65 14.1 0.01 1.40 0.22 17.73 0.61 0.95 6.25 20.53 24.88 15.51 17.73 0.22 0.61 0.95 59.9  Sufficiently large attack burst  Packet loss at congested router  TCP time out & retransmit after RTO  Attack period = RTO of TCP flow,  TCP continually incurs loss & achieves zero or very low throughput.  Sufficiently large attack burst  Packet loss at congested router  TCP time out & retransmit after RTO  Attack period = RTO of TCP flow,  TCP continually incurs loss & achieves zero or very low throughput. Avg BW= lR/T Case 3. Wi-Fi Jamming Wireless VoIP using 802.11 Wi-Fi Security problems :  Common Jamming  Low-rate attack on the control plane  Exploiting the protocol :RTS-CTS AP AB time RTS(A) CTS(A) defer RTS(A) CTS(A) 4. Conclusion  Security solutions  Initial focus will be on denial-of-service, considering security protocols like SRTP, TLS, S/MIME, SSL, etc  Protocol design and analysis (solutions must be scalable despite encryption, authentication, etc)  Seek experimental evaluation  Realistic testbed network  Hope to evolve into international scope: Bell Labs (NJ), Purdue (IN), Chinese University (Hong Kong), … Protocol Stack Session Initiation Protocol (SIP) Case 1. Flooding Attack Solution: Router Throttle Example Max-min Rates (L=18, H=22) Case 2. Low-rate DoS Attack on TCP Flow RTS-CTS Jamming  Attack flows V.S. legitimate flows  Expect a separation between them.  Attack flows V.S. legitimate flows  Expect a separation between them.  Probability distribution of DTW values threshold Robustness of Detection  Sample recent instantaneous throughput at a constant rate  Each time of detection consists of a sequence of instantaneous throughput  Normalization is necessary  The background noise of samples need to be filtered  Background noise (UDP flows and other TCP flows that less sensitive to attack)  For simplicity, a threshold filter can be used.  Autocorrelation is adopted to extract the periodic signature of input signal. periodic input => special pattern of its autocorrelation. (Autocorrelation can also mask the difference of time shift S)  Unbiased normalization M: length of input sequence m: index of autocorrelation  Similarity between the template and input should be calculated.  We use the Dynamic Time Warping (DTW). (The detail algorithm of DTW is provided in our research work)  The smaller the DTW value, the more similar they are.  DTW values will be clustered; threshold can be set to distinguish them. Pattern match Extract the signature Filter the noise Sample the traffic Algorithm of Detection 1. Security Challenges:  Traditional telephone network  Highly reliable, voice specific, closed and physically secure system  VoIP network  Unpredictable/open transport, data/voice convergent, publicly connected (intelligent but untrusted/malicious systems)  Security should not be an afterthought  Media, signaling, infrastructure attacks

Download ppt "Towards a Scalable and Secure VoIP Infrastructure Towards a Scalable and Secure VoIP Infrastructure Lab for Advanced Networking Systems Director: David."

Similar presentations

The leader in session border control for trusted, first class interactive communications.

The leader in session border control for trusted, first class interactive communications.
www.dynamicsoft.com Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.

Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.
IMS and Security Sri Ramachandran NexTone. 2 CONFIDENTIAL © 2006, NexTone Communications. All rights Traditional approaches to Security - The CIA principle.

IMS and Security Sri Ramachandran NexTone. 2 CONFIDENTIAL © 2006, NexTone Communications. All rights Traditional approaches to Security - The CIA principle.
Voice Security Interop 2009 Mark D. Collier SecureLogix Corporation

Voice Security Interop 2009 Mark D. Collier SecureLogix Corporation
Information-Centric Networks09c-1 Week 9 / Paper 3 VoCCN: Voice Over Content-Centric Networks –V. Jacobson, D. K. Smetters, N. H. Briggs, M. F. Plass,

Information-Centric Networks09c-1 Week 9 / Paper 3 VoCCN: Voice Over Content-Centric Networks –V. Jacobson, D. K. Smetters, N. H. Briggs, M. F. Plass,
Tom Behrens Adam Muniz. Overview What is VoIP SIP Sessions H.323 Examples Problems.

Tom Behrens Adam Muniz. Overview What is VoIP SIP Sessions H.323 Examples Problems.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom - version 1.0 Voice over IP (VoIP)

Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom - version 1.0 Voice over IP (VoIP)
Camarillo / Schulzrinne / Kantola November 26th, 2001 SIP over SCTP performance analysis

Camarillo / Schulzrinne / Kantola November 26th, 2001 SIP over SCTP performance analysis
The study and demonstration on SIP security vulnerabilities Mahidhar Penigi Vamsi Krishna Karnati.

The study and demonstration on SIP security vulnerabilities Mahidhar Penigi Vamsi Krishna Karnati.
SIP Security & the Future of VoIP Nate Klingenstein APAN 26 Queenstown August 5, 2008 ~ndk/apanSIP.pdf.

SIP Security & the Future of VoIP Nate Klingenstein APAN 26 Queenstown August 5, ~ndk/apanSIP.pdf.
Voice over IP and IP telephony Network convergence – Telephone and IT – PoE (Power over Ethernet) Mobility and Roaming Telco – Switched -> Packet (IP)

Voice over IP and IP telephony Network convergence – Telephone and IT – PoE (Power over Ethernet) Mobility and Roaming Telco – Switched -> Packet (IP)
H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.

H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Prof. John C.S. Lui CSE Dept. CUHK.

Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Prof. John C.S. Lui CSE Dept. CUHK.
January 23-26, 2007 Ft. Lauderdale, Florida IP Communications, Secure – By Design Roger W. Farnsworth.

January 23-26, 2007 Ft. Lauderdale, Florida IP Communications, Secure – By Design Roger W. Farnsworth.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,

Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,
Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,

Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,
Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Haibin Sun John C.S.Lui CSE Dept. CUHK David K.Y.Yau CS Dept. Purdue U.

Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Haibin Sun John C.S.Lui CSE Dept. CUHK David K.Y.Yau CS Dept. Purdue U.

Similar presentations

Ads by Google