1 / 22

INFOTECH Seminar Advanced Communication Services (ACS), 200 4 Mentor: Dr.-Ing. S. Rupp

INFOTECH Seminar Advanced Communication Services (ACS), 200 4 Mentor: Dr.-Ing. S. Rupp. Security Issues and Solutions for Voice over IP compared to Circuit Switched Networks Andon Batchvarov Institute of Communicati o n Networks and Computer Engineering University of Stuttgart.

hani
Télécharger la présentation

INFOTECH Seminar Advanced Communication Services (ACS), 200 4 Mentor: Dr.-Ing. S. Rupp

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INFOTECH Seminar Advanced Communication Services (ACS), 2004 Mentor: Dr.-Ing. S. Rupp Security Issues and Solutions for Voice over IP compared to Circuit Switched Networks Andon Batchvarov Institute of Communication Networks and Computer Engineering University of Stuttgart

  2. Motivation • Voice over IP expected to replace the Public Switched Telephone Network (PSTN) • Challenge: VoIP should provide same or better services than PSTN • Availability • Reliability • Quality of Service • Security is essential for meeting this challenge INFOTECH Seminar Advanced Communication Services 2004

  3. Agenda • VoIP and IP Telephony • Security issues in general • Security issues in VoIP and PSTN • Attacks in IP Telephony networks • Security solutions for VoIP - IPsec • Firewalls • Others • Conclusions INFOTECH Seminar Advanced Communication Services 2004

  4. What is VoIP? • Voice over the public Internet • general transport of voice calls over the public Internet • unpredictable quality of the speech connection • VoIP • is a technology • based on standards (SIP, H.323) • allows transport of voice calls over any IP network • IP Telephony • practical application of the VoIP technology INFOTECH Seminar Advanced Communication Services 2004

  5. VoIP Gateway PSTN Call Proc. Server IP Telephony network IP network IP Phones INFOTECH Seminar Advanced Communication Services 2004

  6. IP Telephony network elements • IP phones • realized in software/hardware • Call processing server • call processing • access control • storage of user profiles • storage of network configuration • VoIP gateway • interconnectivity between IP and PSTN INFOTECH Seminar Advanced Communication Services 2004

  7. Security requirements Confidentiality Integrity Availability INFOTECH Seminar Advanced Communication Services 2004

  8. Types of attacks • passive and active attacks • passive • eavesdropping (interception) • statistical analysis • active • interruption of a service (Denial of Service) • modification of messages • fabrication of messages • replaying messages • outsider vs. insider attacks INFOTECH Seminar Advanced Communication Services 2004

  9. Protection mechanisms • Encryption • symmetric or asymmetric • digital signatures, Public Key Infrastructure • Access control • Authentication • proving identity • Authorization • check permissions for access • Accounting • billing for services INFOTECH Seminar Advanced Communication Services 2004

  10. Security issues: VoIP vs. PSTN • IP based network threats apply to VoIP • open (VoIP) vs. closed (PSTN) environment • new vs. established technology • widespread vs. hidden knowledge • converged vs. separated networks for voice and data • same vs. different physical networks for voice and signalling • placement of intelligence in network vs. end-systems INFOTECH Seminar Advanced Communication Services 2004

  11. Attacks in IP Telephony networks Some examples: • call interception • viruses, worms, Trojan-horses • especially for PC-based IP phones • infection may spread from data to voice segment • caller identity spoofing • toll fraud • Denial of Service (DoS) • “TCP SYN flood” • “ping of death” INFOTECH Seminar Advanced Communication Services 2004

  12. IPsec • often in combination with VPN • IPsec provides security services on layer 3: • integrity • confidentiality • data origin authentication • rejection of replayed packets • limited traffic flow confidentiality • AH (Authentication header) or ESP (Encapsulating Security Payload) • AH and ESP used in transport or tunnel mode INFOTECH Seminar Advanced Communication Services 2004

  13. IP hdr IP data ESP tr encrypted part authenticated part IPsec • ESP in tunnel mode original IP packet IP hdr IP data new IP hdr ESP hdr IP hdr IP data ESP tr ESP auth INFOTECH Seminar Advanced Communication Services 2004

  14. IPsec • Drawbacks • longer packets • higher processing overhead • higher end-to-end delay • support of IPsec in hosts/gateways required • Conclusion: • trade-off between security services and overhead • use of IPsec for VoIP depends on the underlying IP Telephony network INFOTECH Seminar Advanced Communication Services 2004

  15. Firewalls • located at border to public Internet • control incoming and outgoing traffic • offer security services on different layers: • network layer: packet filters • transport layer: transport layer gateways • application layer: application layer gateways • combination of these: e.g. bastion host between two packet filters • problem with VoIP: based on SIP or H.323 which use dynamic ports • solution: open pin-holes through firewall INFOTECH Seminar Advanced Communication Services 2004

  16. Invite / UDP 180 Ringing/ UDP 200 OK/ UDP RTP Packets/ UDP Firewall traversal for VoIP • example: SIP, initiate session using UDP A Firewall of A B responses and voice (RTP) packets from B blocked by A’s firewall INFOTECH Seminar Advanced Communication Services 2004

  17. Open TCP Connection Invite / TCP 180 Ringing / TCP 200 OK / TCP ACK / TCP RTP Packets/ UDP RTP Packets/ UDP Firewall traversal for VoIP • example: SIP, initiate session using TCP A Firewall of A B Successful session establishment but voice (RTP) packets from B blocked by A’s firewall INFOTECH Seminar Advanced Communication Services 2004

  18. Other security solutions • VLANs • Intrusion Detection Systems (IDS) • Access control • device authentication (MAC address) • user authentication (username/password) • Anti-virus programs • Frequent security updates of applications or operating system INFOTECH Seminar Advanced Communication Services 2004

  19. A practical example INFOTECH Seminar Advanced Communication Services 2004

  20. Conclusions • VoIP much more insecure than PSTN • solutions to provide a certain level of security exist: • IPsec, firewalls, VLANs, IDS, anti-virus programs • Combination of these used in practice • trade-off between security services and cost • Improving security for VoIP is one of the factors that determine the success of VoIP INFOTECH Seminar Advanced Communication Services 2004

  21. Q & A Session INFOTECH Seminar Advanced Communication Services 2004

  22. Thank you for your attention! INFOTECH Seminar Advanced Communication Services 2004

More Related