1. Hack.LU 2006 In SPace Nobody Can Hear You Scream Nicolas FISCHBACH Senior Manager, Network Engineering Security, COLT Telecom nico@securite.org - http://www.securite.org/nico/ v1

2. Hack.LU 2006 2 Internet-wide Security Issues ● What kept us up at night :) ● SNMP ● SQL Slammer (and friends) ● Cisco wedge bug ● BGP TCP window [not really actually] ● Botnets and DDoS

3. Hack.LU 2006 3 Internet-wide Security Issues ● What have we done about it ? A lot. Too much maybe ? ● Route/prefix filtering ● DDoS detection: Netflow ● DDoS mitigation: BGP (+ MPLS (+ Cleaning)) ● xACLs and MPLS Core hiding ● QoS and Control Plane Policing (CoPP) ● BGP TTL trick (GTSM) and BGP TCP md5 ● Unicast RPF (uRPF) ● Router security 101

4. Hack.LU 2006 4 Carrier Backone cr tr ccr cr ar cpe cr cpe Edge Core Access Customer (access) Customer (transit) Router “types” ISPy ISPa ISPb tr ISPm ISPk ppr ISPm ISPy ISPj ixpr Transit Peering (IX or private) Access (/30) Link “types”

5. Hack.LU 2006 5 Carrier Backbone Security Edge Core Access Customer receive ACLs [rACL] / CoPP infrastructure ACLs [iACL] transit ACLs edge [tACLe] transit ACLs access [tACLa] Router “types” BGP (md5 / TTL) QoS uRPF

6. Hack.LU 2006 6 Carrier Backbone DDoS Detection ● Netflow (src/dst IP/port, protocol, ToS, interface - no payload, BPS/PPS/Time) Edge Access Router “types” NOC tr ccr ar tr ppr ixpr (Sampled) Netflow Aggregated Netflow Flows (SNMP) Alerts collector controller

7. Hack.LU 2006 7 DDoS Attack Mitigation internet Server ircd/p2p peering edge Deep Packet Inspection Sampled Netflow access layer core Network Level Mitigation Data Center Level Mitigation

8. Hack.LU 2006 8 Carrier Backbone DDoS Mitigation Edge Access Router “types” “Attack” traffic “Good” traffic Flows “Bad” traffic cr tr ccr cr ar cr tr ppr ixpr ar inspection VoIP Core

9. Hack.LU 2006 9 Internet-wide Security Issues ● What has really changed ? ● Route filtering : quite relax still ● DDoS detection, but weak mitigation : DDoS == background noise ● QoS : not for security, but for NGN ● CoPP : not widely deployed ● uRPF : not widely deployed ● BGP : md5 common (but useful ?), TTL-trick (the exception)

10. Hack.LU 2006 10 Internet-wide Security Issues ● Have we learned the lesson ? ● IPv6 ● Lots of security features in software (not in hardware) ● Will we ever see SoBGP / Secure BGP ? Do we need it ? ● Going up the stack, no mitigation at network level anymore (everything on top of 80/tcp, DNS attacks, etc)

11. Hack.LU 2006 11 Security Features ● What's the driver ? ● How to get those features across product ranges and vendors ● Shift of features towards edge, access, last/first mile ● But these features are not (often) security features ● Devices that never “saw” the “bad” Internet ● Features vs power vs cooling ● Hardware limitations (FPGA, ASIC, NP)

12. Hack.LU 2006 12 Security – which future ? ● No “big” “nation-wide” “critical infrastructure” issue recently ● IP/Data network infrastructure has become a commodity (until it's down) ● No focus on infrastructure security anymore (but the wake up call will be “funny”) ● So where do people put security research and resources into ?

13. Hack.LU 2006 13 NGN (Next Generation Networks)

14. Hack.LU 2006 14 NGNs ● Next Generation Networks ● VoIP and IMS ● Ethernet/DSL services ● Converged Networks ● Moving up and down the stack at the same time

15. Hack.LU 2006 Internet 15 PBX Trunking over IP FWFW PRI (ISDN over E1) TDM PSTN Voice Switch TDM PSTN Voice Switch H.323(/MGCP)/RTP No NAT Softswitch MGW CPE PBX H.323(/MGCP) MGCP RTP PBX POTS VoIP/ToIP No NAT T.38 (FAX) 64kUR (PBX Mgmt) DTMF

16. Hack.LU 2006 TDM PSTN Internet 16 Wholesale Voice over IP PRI (ISDN over multiple E1s or STM-1s) TDM PSTN Voice Switch TDM PSTN Voice Switch SIP/RTP Softswitch MGW SIP MGCP RTP POTS VoIP/ToIP Voice Switch MGW H.323/RTP Other Carrier VoIP Core SBCSBC

17. Hack.LU 2006 17 Security challenges ● VoIP protocols – No, VoIP isn't just SIP – SIP is a driver for IMS services and cheap CPEs – H.323 and MGCP (still) rock the carrier world ● Security issues – VoIP dialects – Only a couple of OEM VoIP stacks (think x-vendor vulnerabilities) – FWs / SBCs: do they solve issues or introduce complexity ? – Are we creating backdoors into customer networks ? – CPS and QoS

18. Hack.LU 2006 18 Session Border Controller ● What the role of an SBC ? – Security – Hosted NAT traversal (correct signalling / IP header) – Signalling conversion – Media Conversion – Stateful RTP pin-holing based on signalling ● Can be located at different interfaces: Customer/Provider, inside customer LAN, Provider/Provider (VoIP peering) ● What can be done on a FW with ALGs ?

19. Hack.LU 2006 19 IMS services ● IMS = IP Multimedia Subsystem ● Remember when the mobile operators built their WAP and 3G networks ? – Mostly “open” (aka terminal is trusted) – Even connected with their “internal”/IT network ● IMS services with MVNOs, 3G/4G: overly complex architecture with tons of interfaces ● Large attack surface: registration/tracking servers, application servers, etc ● Firewalling: complex if not impossible

20. Hack.LU 2006 20 IMS Future Threats ● FMC: Attack Fixed Mobile handover (GSM WiFi) ● “Vishing” (VoIP Phishing): risks associated with IVR ● Abusing IN systems

21. Hack.LU 2006 21 MSP and IP DSLAM ● Multi-Service Platform aka Carrier Ethernet ● IP/Ethernet DSLAMs ● Remember all the “LAN only” layer 2 attacks ? ● dsniff is not dead ;-) ● VLANs, TCAM, etc. ● Basic IP features DSLAMs

22. Hack.LU 2006 22 Conclusion ● Last 5 years : infrastructure security ● Next 5 years : NGN security ● In a couple of years : learn the hard way that NGN needs stable and secure underlying infrastructure