1 / 18

Challenges in Securing Converged Networks

Challenges in Securing Converged Networks. Prepared for :. Telcordia Contact: John F. Kimmins Executive Director jkimmins@telcordia.com 732-699-6188. 2007 CQR Conference. Outline. Threats Vulnerabilities Architecture Boundaries Insider External Application Logical Domains

izzy
Télécharger la présentation

Challenges in Securing Converged Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Challenges in Securing Converged Networks Prepared for: Telcordia Contact:John F. Kimmins Executive Director jkimmins@telcordia.com 732-699-6188 2007 CQR Conference

  2. Outline • Threats • Vulnerabilities • Architecture Boundaries • Insider • External • Application • Logical Domains • Other Challenges • Market Perspective

  3. Example Service Provider Architecture • SIP Endpoints • Soft Phones, VoIP Phones, Attached Terminal Adaptors (ATA) • SoftSwitch • Signaling Gateway • Media Gateway • Media Gateway Controller • Session Border Controller (SBC) • Registration & Location Servers • Supporting Servers • Authentication, Authorization, and Accounting (AAA) servers • Call Data Record (CDR) servers • Domain Name Service (DNS) servers • Network File Server (NFS)

  4. Threats • Confidentiality • Eavesdropping (including traffic analysis) • Interception of Signaling or Media Stream • Integrity • Modification of Signaling (Rerouting/Masquerading) • Modification of Media Stream (Impersonation) • Fraud (cannot trust Caller ID) • Integrity of stored data and systems • Availability • Service disruption (amplification attacks DoS/DDoS) • Denial of Service against Signaling or Media Stream • Spam Over Internet Telephony (SPIT) • Unauthorized access (compromise systems with intentions to attack other systems or exploit vulnerabilities to commit fraud and eavesdropping).

  5. Types of Vulnerabilities • Applications: • Buffer overflows, format-string exploits, scripts, password exploits, overload (DoS, DDoS) • Protocols: • Session tear-down, impersonation, session hijacking, SIP>SS7 boundary messages tampering, malformed messages, overload (DoS, DDoS) • Supporting Services • Address resolution and directory services (DNS, LDAP, ENUM), email (SMTP), supporting databases (SQL), SNMP, STUN used for NAT traversal • OS and Networking: • Buffer overflows, format-string exploits, scripts, password exploits, overload (DoS, DDoS), ARP cache poisoning

  6. 3rd Party Provider ANI ANI Service Provider A Domain Service Provider B Domain Users Users Devices and CPEs Devices and CPEs NNI Application Servers Application Servers Service Stratum Service Stratum Enterprise Enterprise Softswitch CSCF Softswitch CSCF Home networks Home networks Transit Access (xDSL, Cable, FTTP, WiFi, WiMAX) Access (xDSL, Cable, FTTP, WiFi, WiMAX) Transport Transport UNI UNI NNI NNI End-to-End View • Source: ITU Y.2701 (Security Requirements for NGN)

  7. Insider Perspective

  8. Operations Network Interfaces

  9. External Perspective

  10. Attempts to Bypass Filtering

  11. Application³ Interface SecurityOSA/Parlay Interface Enterprise/Third Party Providers OSA/Parlay Application A OSA/Parlay Application A OSA/Parlay Application A OSA/Parlay APIs OSA/Parlay Framework Service Control Features IMS Third Party Access OSA/Parlay Gateway - Service Capability Server IMS Network IMS Core Components * Application³ means Third Party Application

  12. Logical Segmentation Challenges • Logical segmentation of the management/signaling/user layer between locations: • Secure logical separation of domestic and international VoIP/NGN components • An intruder from a foreign location could attack key domestic network elements because there may be insufficient barriers between domestic and international domains.

  13. Internal Security Boundaries Needed?

  14. An End-to-End View of Potential Security Vulnerabilities

  15. Other Challenges in Security • End-to-End Security Management • Scaling across network domains, national and international domains (e.g., countries/continents) • Hop-by-hop or end-to-end • Identity Management • Identity across network domains, national and international domains (e.g., countries/continents) • Associated with a location • Private/public identities, role and context based identifiers

  16. Evolving Trust ModelSource: ITU Y.2701

  17. NNI Trust ModelSource: ITU:Y.2701

  18. Market Perspective • How’s security in VoIP/NGN products today? • Poor to average • Security controls are not mature • Not well implemented in deployments • Implementations inherit traditional vulnerabilities (e.g. Buffer Overflows) • Security performance and reliability are critical elements and need to be improved • Security features to enforce stronger security posture (protocol, user and boundaries) are not uniformly implemented • Baseline security requirements for product vendors are many times vague • Signaling and media security are not fully recognized by the market • Integration of security functionality still evolving • Organizational issues are not fully identified and addressed

More Related