html5-img
1 / 37

Deploying IP Telephony in an Enterprise and the Vulnerabilities that Come With It

Deploying IP Telephony in an Enterprise and the Vulnerabilities that Come With It. Brennen Reynolds Department of Electrical and Computer Engineering University of California, Davis Security Lab Seminar – 7/17/02. Agenda. Introduction to IP Telephony

paul-tyler
Télécharger la présentation

Deploying IP Telephony in an Enterprise and the Vulnerabilities that Come With It

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Deploying IP Telephony in an Enterprise and the Vulnerabilities that Come With It Brennen Reynolds Department of Electrical and Computer Engineering University of California, Davis Security Lab Seminar – 7/17/02

  2. Agenda • Introduction to IP Telephony • Challenges Faced with Deploying IP Telephony in Enterprises • Proposed Architecture Solutions • Security Issues Surrounding Converged Networks • An Architecture to Handle DoS Attacks

  3. What is IP Telephony? • The use of the Internet Protocol to implement POTS telephony functionality over a data network • IP Telephony is NOT the same as VoIP • VoIP uses IP to transport voice traffic over ANY network

  4. Implementing IP Telephony • Key Protocols: • Signaling - SIP or H.323 • Handles establishment, maintenance and teardown of sessions • Media Transport - RTP & RTCP • Transmits voice samples • Supporting Services - DNS, ENUM, TRIP, RSVP, STUN • Improve performance and ease of use

  5. Typical Call Setup The Location Service is being queries to check that the destination IP address represents a valid registered device, and for its IP Address DNS Server DNS Query for the IP Address of the SIP Proxy of the Destination Domain Location Service The INVITE is forwarded 4 2 3 A request is sent (SIP INVITE) to ESTABLISH a session SIP Proxy 5 The request is forwarded to the End-Device SIP Proxy 1 SIP IP Phone 6 Media Transport SIP IP Phone Destination device returns its IP Address to the originating device and a media connection is opened

  6. Why IP Telephony? • Advanced Services • video, email, instant messaging and web • Reduced Network Costs • Cheap computer equipment vs. expensive proprietary teleco equipment • Reduced bandwidth usage per call • G.711 (PSTN codec) uses 64 kbps per call • IP Telephony codecs can use anywhere from 32 kbps to 5.3 kbps per call

  7. Enterprise Network Layout

  8. Challenges • Speech quality • Network Delay, Jitter, Packet Loss, Encoding Technique • Network requirements • Must match current carrier grade network uptime (99.999% or 5 min downtime per year) • Must be capable of handling huge volume of calls (in addition to other data applications) • Must allow for network modification

  9. Challenges Cont. • Access Management & Traffic Prioritization • Voice and data traffic have different requirements • Users must always be able to make a high quality call • Large data transfers may need to be throttled back • Security • Both data and voice share same network resources • IP protocol has security problems associated with it • Call signaling is now in-band with call data • Added intelligence at network edge (phone) • Susceptibility to attacks

  10. Problems Encountered • Major categories of problems • Network Capacity • Network Middleboxes • Firewall • Network Address Translation

  11. Infrastructure Problems • How much load would be added by IP Telephony? • Can an enterprise network designed for standard data applications provide the necessary guarantees? • Should IP Telephony be run over a separate data network?

  12. Firewall Problems • Must allow new ports to be open • Application doesn’t use well know ports • Ports are negotiated at runtime • Transmitted in application level header • Must allow UDP traffic to pass through firewall • Many enterprises don't want to allow this

  13. NAT Problems • User Agents require routable end-to-end connections • Purpose of NAT is to use private (hidden addresses) • IP address is now included in multiple places in packet • Not just IP header • NAT devices only translate IP header information

  14. Proposed Solutions • All Access • Traffic Redirection • Application Proxy • Protocol Tunneling

  15. All Access • Removes all restrictions • Accomplished by removing NAT devices • Removal of all firewall rules • Provides no security at all

  16. All telephony traffic that is destined for endpoints outside the enterprise are redirected over the PSTN Negates the reduced cost of deploying IP telephony because a large amount of PSTN voice trunks are still required Traffic Redirection

  17. An proxy server is positioned in parallel with the firewall All IP telephony traffic is routed through the proxy instead of the firewall Each new application will require an individual proxy Additional interface to the enterprise network Application Proxy

  18. All IP telephony traffic is sent through a tunnel running over a fixed port scheme Added overhead of encapsulation of each packet Provides avenue for malicious traffic to disguise itself as legitimate Protocol Tunneling

  19. Firewall is aware of entire network stack and automatically open pinholes SIP proxy server protected in the DMZ Requires replacement of existing firewalls with dynamic, intelligent versions STEM Network Architecture

  20. Comparison of Solutions

  21. Solving Security Issues • With Strong Authentication • With Payload Encryption • With Enterprise Domain Authentication • With Network Architecture

  22. Strong Authentication • Call Based Denial of Service • CANCEL messages, BYE message, Unavailable responses • Call Redirection • Re-registering with bogus terminal address, user moved to new address, must use additional proxy • User Impersonation

  23. Payload Encryption • Capture and decoding of voice stream • Can be done in real-time very easily • Capture of DTMF information • Voice mail access code, credit card number, bank account • Call profiling based on information in message headers

  24. Enterprise Domain Authentication • Unauthorized party connected to enterprise network making calls • Enterprise networks are easy to get access to • Wireless, conference rooms, waiting areas • A single user could easily saturate voice ports at M/S gateway if they wanted to

  25. Network Architecture • Resource consumption DoS attacks • Network bandwidth, server resources, human time • Camouflaging hostile traffic • Malicious data flows

  26. DoS Attacks in Converged Networks • Three points of attack • Network bandwidth between enterprise and external network • Server resources at control points • End user’s efficiency

  27. Internet Originated Attack • Enterprise network connection can be flooded using techniques like SYN flooding • Resources on SIP proxy can be exhausted by a large flood of incoming calls • End user receives large number of SIP INVITE requests in a brief period of time

  28. PSTN Originated Attack • Signaling link between M/S gateway and PSTN STP becomes saturated with messages • Voice ports on the M/S gateway are completely allocated • Large number of PSTN endpoints attempt to contact a single individual resulting in a high volume of INVITE messages

  29. Network Framework For Detecting and Responding to DoS Attacks • Each resource consumption DoS attack has a unique signature • All the signatures have a similar behavior • An algorithm can be created to detect this behavior • Sensors can be implemented based on the algorithm • Appropriate responses can be activated to reduce the impact of the attack after detection

  30. Information Sampling • IP telephony and the underlying protocol (TCP) both include some form of handshaking during the connection setup phase • Monitoring the volume of connection attempts vs. volume of complete connection handshakes can be used to detect an attack

  31. Detection Algorithm • All connection setup attempts and complete handshakes are counted during the observation period • Upon expiration of the sampling period the difference is computed and normalized • Under normal operation, the resulting value should be very close to 0 • In the presence of an attack, the result is a large positive number

  32. Types of Attack Sensors • To ensure the detection and protection of the three targets, two sensors must be built • Application Layer Attack Sensor • Network Layer Attack Sensor

  33. Application Layer Attack Sensor • Monitors the number of SIP INVITE requests vs. SIP OK (call acceptance) responses • Each URI is monitored independently • Upon flood detection, proxy or M/S gateway return temporally busy messages

  34. Network Layer Attack Sensor • Monitors the number of TCP SYN and ACK packets • Traffic is monitored at a high level aggregate • Upon attack detection, throttling is applied by perimeter devices (e.g. firewall) • If attack persists, traceback technologies can be used to drop malicious traffic at an upstream point

  35. New Enterprise Network Topology

  36. Future Work • Implementation of the sensors and collection of performance and detection results • Design of a module to detect malicious flows

  37. Questions?

More Related