Secure Realtime Enablement of Unified Communications Ravi Varanasi Vice President, Engineering Sipera Systems ravi@sipera. com 408 -398 -0725 (M)
Unified Communications: Security and Enablement Requirements for proliferation of Unified Communications over IP: Need for Granular control, Realtime application level security è Confidentiality, Integrity of communications Qo. S requirements for latency sensitive applications Need for a comprehensive application-layer security approach to enable pervasive, real-time unified communications Comprehensive VPN, Firewall, IPS, DPI & Anti-Spam for UC Application-Layer Vo. IP protocols, call-state, services, subscriber aware Pervasive Soft Phones, Remote Users, SIP Trunks, Click-to-Talk Real-time Deterministic, very low latency; Not store and forward Unified Communications Vo. IP, IM, Video, Multimedia, Presence, Collaboration Over SIP, SCCP, Microsoft OCS, IMS …
Policy enforcement: Key to security Granular rules based on match criteria Can partners call partners? Is video allowed in this domain? Should IM be allowed? With/Without attachments? Actions based on a vulnerability pattern Proactive Security model Reactive Security model Forensics Detect “Bad behavior” Traditional IDS/IPS approach Signature/Pattern detection Enforce corporate admission policies Device/User level auth Deep packet inspection firewall Policy violation Security Breach Application aware, L 7 corporate granular admission control, authentication policies
Secure *ALL* open communication channels (S) P HTT SCEP SOAP SIP Phone LDAP Centralized Configuration Server X. 509 Certificate Server Personal Profile Manager SIP Enablement Server Corporate Directory Server HTT P(S ) (S) Web Server RT P SIP Phone
Preserve UC experience while securing it Purpose-built, Real-time Hardware Media Latency Media Real-Time Independent Planes Media Signaling Traditional Shared Resources Signaling • Purpose-built from ground up • Separate signaling and media plane • Latency sensitive: fast path for media • Minimize jitter: deterministic performance Increased Attacks Traditional Real-Time 100 µs Call Volume
Security approach for UC • Real-time – Purpose-built hardware – Offer security within the bandwidth and latency budgets of Vo. IP • Complex protocol; application layer – Dedicated research and Vo. IPspecific signatures – Application protocol depth • Human interactive – Verify: minimize false +/– Behavior analysis • Weak endpoints; peer-to-peer – Vo. IP access control – Low CPU encryption – Application-layer participation Real-time Weak Vo. IP Endpoints Peer-to-peer Vo. IP is Different Human Interactive Complex Protocols for Rich Features Application Layer
Security Gaps with IP PBX and VLANs • UC requires integration of services, devices – Breaks traditional island based model – Peer-to-peer apps break client server model • New threat vectors – Vo. IP devices are weak – Data-to-Vo. IP threats – Vo. IP-to-data threats • Needs access control – Wi-Fi phones – Softphones • Privacy for some – HR communication Enterprise PBX E-mail WWW VM Ca ll Voice Vo Si s ce ic i rv e gn Ma il al in g eb W Se Data Call Media Infected PC
UC Security Solution for IP PBX and VLANs • Policy definitions need to be multidimensional – Users, devices, networks, To. D Enterprise PBX VM E-mail WWW • Address new threat vectors – Dedicated UC research – UC vulnerability signatures Voice Data • Access control – Authentication digest, X. 509 • Privacy for communication in certain zones – TLS/SRTP Infected PC
UC Security Solution for Mobile Workspaces • Authentication and access control Hacker – 2 -factor authentication – Configuration enforcement, quarantine Internet • Privacy, Authorization – SRTP and TLS • Threats from public Internet Enterprise – Dedicated UC research – UC vulnerability signatures PBX
Holistic Approach for UC Security • Establish policy – Define security policies based on needs of organization • Assess risk – Perform Vo. IP vulnerability assessment • Implement protection – Deploy comprehensive, real-time UC security solution • Manage compliance – Policy enforcement and reporting – Ongoing, periodic assessments
UC vs Data Security Vo. IP/Video Voice, Video, IM, Collaboration Remote UC enablement, IP-PBX security, Mobility control, Toll fraud, mutual-auth, centralized management, TLS, SRTP, ERTP Data L 7 services, Security Web Services, IM, File Transfer, Network Mgmt. , Authentication, Directory Services, Name Services, SSL Real time Voice/Video security Message security Call flow/state aware, behavioral AD, signatures, semantic protocol scrubbing, fingerprinting, Vo. IP SPAM, false +ve free drop actions SIP, SCCP, IMS, UMA L 7 protocol proxy Regex based, hierarchical policy Statistical AD, IPS, AV signatures Full/cut-through TCP proxy HTTP, P 2 P, IM, SMTP, XML, IPSEC Vo. IP Do. S/DDo. S Protection Data Do. S/DDo. S Protection SIP (Avaya, Cisco, Msft Nortel), SCCP (Skinny), IMS, UMA, OCS HTTP, FTP, ESMTP, TFTP Protocol Inspection and RFC Compliance SIP, SCCP (Skinny), MGCP, TFTP, H. 323, RTP/RTCP/RTSP, TAPI/JTAPI HTTP, FTP, SMTP, TFTP, SMTP/ESMTP, DNS/EDNS, LDAP, NTP, RPC Network Protection TCP, UDP, ICMP, DHCP
Comprehensive, Real-time UC Security Mobile Workspaces Hacker • Define security policies – What UC applications are you planning to use and rules that govern UC? Internet • Address risks and gaps Rogue Device – Understand new risks due to UC in your deployment – Understand new gaps introduced in current security • Address special needs for UC • Deploy UC security solution – – Threat protection Policy enforcement Access control Privacy ITSP SIP Trunks Enterprise – Real-time – Peer-to-peer – UC security zones PBX PSTN Infected PC IP PBX & VLANs
SIP security use cases Soft Clients IP Phones IP PBX Rogue Device Vo. IP VLAN ► SIP IM Compliance ► IP PBX Security Wi. Fi/Dual Mode Phones Data VLAN ► Remote User Security ► Wi. Fi/Dual-mode Phone Security ► Secure Proxy ► Click-to-Talk Security DMZ ► SIP Trunk Security Crumbling Enterprise perimeter: Extension from trusted to untrusted domains • Soft clients • Remote users • SIP trunks • Mobility • Click-to-talk Rogue Employee Infected PC Service Provider Customer pain points. Internet • Secure remote UC enablement • Security threats from external and internal clients • Multiple exceptions on secure firewalls to enable UC Infected PC Partner Click-to-Talk Hard Phone Dual-mode Phone Spammer Bad Guys
Defense in Depth Real-time, Vo. IP call state aware, signature and behavior-based signaling & media protection (Including encrypted traffic) Attacks blocked by IPS Attacks blocked by Firewall Layer 3 Layer 4 L 3 Security is now a commodity market Microsoft/ HTTP Attacks moving towards L 7 as hackers target applications and services. SIP/SCCP Fuzzing Network is a platform rather than a pipe. SCCP/SIP/RTP Floods Need of the hour: Inline, reliable, lowlatency deep packet inspection, stateaware security devices. SCCP/SIPSpoo fing SCCP/SIP Stealth Attacks Vo. IP SPAM Legitimate Traffic Firewall IDS/IPS UC security function/device Call Server
$1000_sha Integrity and Access Control X $10000_sha • Strong authentication – X. 509 Certificates, 2 -Factor Authentication, SIP Digest Authentication • Integrity protection – TLS with SHA 1, SRTP with SHA 1, SIP Digest with auth_int • Blocking spoofing, caller ID fraud, rogue devices and rogue media packets • Configuration and patch enforcement, quarantine
ôh; ù’°–¹q€IP‡m Confidentiality and Privacy SSN: 123 -45 -6789 • • • SSN: 123 -45 -6789 Signaling encryption – TLS Media encryption – SRTP User privacy – Caller ID hiding Network privacy – Topology hiding Blocking reconnaissance scans
Availability and Threat Protection X • • Blocking application layer Do. S floods Blocking distributed denial of service (DDo. S) Blocking stealth Do. S Blocking malformed or fuzzed messages
Access Control: X. 509 Certificate Based Mutual Authentication Step 1 Install CA Root and Certificates from each side Root Certificate Issuer: XYZ Subject: XYZ Certificate Issuer: XYZ Subject: Device. Name Certificate Issuer: XYZ Subject: Company-name abc-corp IP PBX Remote Phone 2 a. Send Cert & Cert Request Internet Intranet 4. Validated SIP Request 2 b. Send Cert Validate SIP Domain, Certificate Subject Name 3. SIP Request
Privacy: TLS/SRTP Encryption DMZ IP PBX Intranet Internal External Firewall/ +NAT Router FW/NAT Traversal Soft Switch 1. Encrypted signaling over TLS Internet 4. Media RTP 3. Encrypted media SRTP 2. Signaling over TCP/UDP Unencrypted Signaling: SIP/TCP Unencrypted Media: RTP Encrypted Signaling: SIP/TLS Encrypted Media: SRTP (HW 50 µsec) SRTP vs IPSEC: Overhead, latency, setup and routing considerations
NAT & Topology Hiding User 2 Info from SIP headers that can expose topology • Internal domains, application servers • Hops in network (record-route option) • L 3 -L 4 info • Call-id, Contact, Refer-to, Call-info, Geolocation, P-Asserted-Id … 192. 168. 1. 188 FINANCE. COMPANY. COM 192. 168. 1. 198 PHONE 192. 168. 1. 199 COMPANY. COM ITSP 202. 201. 200. 199 EXTERNAL. COM 192. 168. 1. 197 203. 201. 200. 198 FINANCE. COMPANY. COM user 192. 168. 1. 187 INVITE From: user@finance. company. com To: PHONE@EXTERNAL. COM SDP: 192. 168. 1. 187 INVITE From: PHONE@EXTERNAL. COM To: user@finance. company. com SDP: 192. 168. 1. 199 INVITE From: user@company. com To: PHONE@EXTERNAL. COM SDP: 202. 201. 200. 199 INVITE From: PHONE@EXTERNAL. COM To: user@company. com SDP: 203. 201. 200. 198
Privacy: User Identity privacy user PHONE COMPANY. COM INVITE From: user@COMPANY. COM To: PHONE@EXTERNAL. COM ITSP EXTERNAL. COM INVITE From: ANONYMOUS@COMPANY. COM To: PHONE@EXTERNAL. COM P-Asserted-Id: user@COMPANY. COM Privacy: Id
Fuzzing Protection: Protocol Scrubbing //Valid REGISTER sip: ss 2. wcom. com SIP/2. 0 Call Servers //Fuzzed %S%S%S%S%S%S%S%S%S sip: ss 2. wcom. com SIP/2. 0 Valid Fuzzed Via: SIP/2. 0/UDP there. com: 5060 From: Little. Guy <sip: User. B@there. com> To: Little. Guy <sip: User. B@there. com> Call-ID: 123456789@there. com CSeq: 2 REGISTER Contact: <sip: User. B@110. 111. 112. 113> Authorization: Digest username="User. B", realm="MCI World. Com SIP", nonce="ea 9 c 8 e 88 df 84 f 1 cec 4341 ae 6 cbe 5 a 359", opaque="", uri="sip: ss 2. wcom. com", response="dfe 56131 d 1958046689 cd 83306477 ecc" Content-Length: 0 • PROTOS and SIP torture signatures – Need to check signal messages against proper formatting, field length, content, etc. – Regex based flexible rules, per UA type based rules • Signatures updatable constantly
Spoofing Prevention 3. Phone moves to new location IP PBX 5. Phone re-registration complete 6. Update fingerprint 4 b. Fingerprint mismatch, SIP Challenge, Response 4 a. Phone tries to re-register Internet Intranet 1. Phone registers 2. Learn fingerprint IP, Src: 172. 16. 1. 10, Dst: 172. 16. 1. 20 TCP, Src Port: 4925, Dst Port: 5060 REGISTER sip: ss 2. wcom. com SIP/2. 0 Via: SIP/2. 0/UDP there. com: 5060 From: Little. Guy <sip: User. B@there. com> Call-ID: 123456789@there. com Contact: <sip: User. B@172. 16. 1. 10> 7. Attacker script tries to spoof register 8. Fingerprint mismatch, SIP Challenge, No response, Registration disallowed IP, Src: 172. 16. 1. 11, Dst: 172. 16. 1. 20 TCP, Src Port: 4933, Dst Port: 5060 REGISTER sip: ss 2. wcom. com SIP/2. 0 Via: SIP/2. 0/UDP there. com: 5060 From: Little. Guy <sip: User. B@there. com> Call-ID: 123456789@there. com Contact: <sip: User. B@172. 16. 1. 11>
Zero-Day Attack mitigation with Behavior Learning IP PBX 1. Observe non conformant rate of traffic to protected endpoint 6. Allow call Intranet 4. New call Internet 5. Challenge, Valid Response 2. Attacker makes call Protected Endpoint 3. Challenge, No response, Source Blocked
Remote user enablement: Vo. IP/Video, OCS, Telepresence RADIUS AAA server Token Auth Server IP PBX • Encrypted Signaling & Media • Voice/Video optimized • Built in security 3. Authenticate incoming user Internal Firewall +NAT Intranet DMZ External Firewall +NAT 5060 always open 2. TLS Setup Internet 4. Signaling over TLS 5. SRTP/ERTP Media 3. Media RTP 4. Signaling over TCP/UDP 100 - 1000 media ports 4. Fingerprint Verification Do. S/DDo. S and Fuzzing Prevention Anomaly Detection and Prevention Behavior Learning Voice SPAM Prevention 5. Media Anomaly Detection and Prevention
SIP trunk § Definition • SIP Trunk: Service offered by an ITSP (Internet Telephony Service Provider) that connects a company's IPPBX to the telephone system (PSTN) via Internet using the SIP Vo. IP standard. § Extending Vo. IP • IP-PBX: Convergence of data and Voice over LAN • SIP trunk: Extend this convergence over WAN/Internet Enterprise PBX PSTN MGW SIP Trunk ITSP ISP LAN Internet
SIP Trunk Benefits for Enterprises Internet PSTN ITSP ISP SIP Trunk PBX MGW Head-Quarters § Cost Savings: Operational and Capital § Allows for Consolidation: One ISP/ITSP, One Data Center PBX MGW Branches § Simplicity: works with installed IP-PBX and telephones § Efficiency: Bandwidth, least cost ITSP route selection.
SIP IP-PBX: Trunk vs Line side functions • Call delivery Trunk – One switch (IP-PBX) to another – Basis: Routing rules, domain preferences, dial-plans, configuration. – Trunk reconfig/rerouting needed in case user moves. • Call establishment – Local IP-PBX to Ext-network – Between ITSPs – Inter-site communication over public domain. • Specific functions – – Admission control Policies: Services offered Billing, CDRs Options for keepalive msgs. • Call delivery Line side – End-user to IP-PBX – Basis: Registration, Contact info driven. – Mobility control: call delivered based on SIP: Contact • Call establishment – Call leg 1: End-user to IP-PBX. – Call leg 2: • IP-PBX to end-user (local) • IP-PBX to Trunk • Specific functions – Phone registration – Admission control – VPN connectivity
Call establishment: Line side vs Trunk Line side SIP Trunk IP-PBX REGISTER 200 OK INVITE SDP 200 OK SDP Media to endpoint Via IP-PBX if anchored Optional Route lookup Media flows to endpoint Via SIP trunk REINVITE REFER BYE 200 OK Optional BYE 200 OK REFER/REINV
Multiple Vo. IP protocol environment Soft Switch SIP Trunk SIP Enterprise H. 323 or Skinny or SIP Remote SBC ITSP Enterprise IP-PBX • Supports H. 323/SIP/Skinny on line side • Converts signaling to SIP. Initiates INVITE • Protocol Interworking (SIP others) • Ex: NT CS 1000: H 323/Unistim -> SIP • Cisco CCM: Skinny line side -> SIP • Avaya CM: H. 323 -> SIP • RFC compliance, handling interoperability Soft Switch • Interfacing with IP-PBX’es from multiple vendors • MGW connectivity for PSTN • CDRs, Billing, Payment services • Call routing, Dial plans MGW PSTN
“Bank” Case Study Internet ITSP PSTN SIP Trunk PBX MGW Head-Quarters § About “Bank” • • § Replace TDM Trunks with SIP Trunks to carrier to reduce costs Consolidate distributed PBXs to 1 datacenter and remove from 3 branches Solution: • • Global Bank; 25000 Employees PBX Vendor: Avaya Business Needs: • Branches § Secure SIP Trunks to HQ Secure SIP Trunks to branches Results: • • • $ 70, 000 per month on long distance cost $ 15, 000 per month saving for two branch (PBX/MGW maintenance) First year saving of $1. 1 million
UC Security Solution for SIP Trunks Rogue Device • Security policy – Control your own policies – Demark Vo. IP layer Enterprise SIP Trunk PBX • Threat protection – Flood protection – Signatures for UC vulnerabilities • Privacy – TLS/SRTP PSTN ITSP Internet LAN
SIP Trunk Security & Enablement ISP/Operator Network Bad Guys SIP Server Enterprise D Routers Enterprise C Enterprise B • Vo. IP VPN • TLS proxy • SRTP proxy • Vo. IP Firewall • FW/NAT traversal • Whitelist/Blacklist • Call admission control • Domain Policies • Call Routing Policies • Vo. IP Intrusion Prevention • Vo. IP Anti-spam DMZ External FW/NAT Internal FW Enterprise A IP PBX Soft Clients & IP Phones
SIP Trunk security device functionality Secure UC Access • Keep PBX, phones, numbering • Enforce voice quality • Visibility in voice quality SLAs • Topology hiding of internal network • Standards based encryption using TLS/SRTP • X. 509 Certificate, digest authentication, AAA UC Policy Enforcement • Enhance security policies • Control real-time services • Black list domains/users • Control access based on network, device, user, SIP domain, time of day UC Threat Prevention • Block Do. S/DDo. S • Block malicious traffic • Block spoofed devices • Zero day protection
SIP trunk security issues • SIP URI and domain harvesting – Reconnaissance attack using different domain names – Ex: Attacker/Infected laptop in enterprise sends INVITE directly to carrier • The SIP message below doesn’t go through local IP-PBX – From: sip: user@sipera. com To: sip: xyz@att. net • This attack reaches AT&T. Carriers don’t check “strictly” whether this message is “from IP-PBX at sipera. com” before processing it. • SIP device enumeration – Attacker discovers IP addrs of all intermediate devices from via and record-route info in SIP message. • Evesdropping, Person-in-the-middle-attacks – Through DNS poisoning, modifying INVITE • Call pattern analysis – Who’s calling whom, social network, usage stats, rival ITSP information – Telemarketer’s paradise! • Password cracking, call hijacking – Default, weak passwords can be used to succeed 407 authentication challenge
SIP trunk security issues: Threats to Integrity • SIP request spoofing – Session teardown: Attacker replicates SIP hdr (with To, From, Call-id, CSeq) and sends a CANCEL/BYE to disrupt the call. – REGISTER spoofing: Replication of REGISTER with bogus contact information. – Billing fraud: Through REGISTER spoofing – User-ID spoofing: Presence of P-Asserted-ID needs to be enforced on both ends of SIP-trunk. Need to check federation the user belongs to. • SIP reply spoofing: – Forged 200 OK response – Forged 302 response • “ 302 temporarily moved” – Forged 404 “not found” • Call disruption
SIP Media Security Threats (contd) • Media hijacking – RTP evesdropping • Media session tear down – Bogus RTCP bye in the middle of session – RTCP messages are generally not authenticated • Qo. S degradation – Attacker sends wrong RTCP reports with inflated jitter, packet loss • Malformed media – Negotiated vs actual Codec • Media flooding
SIP trunk: Security solutions • • • Strong Mutual Authentication TLS/SRTP – for integrity and confidentiality Hardened border element DOS/DDOS protection Rate limiting Topology hiding Ingress Filtering / Reverse-Path Filtering Digest authentication on request/responses Strong identity assertion: Authenticate INVITE requests SRTP, SRTCP
SIP Trunk Least Cost Routing Enterprise IP Phones IP PBX Flow Criteria Network: User: Device: To. D: Vo. IP VLAN Support Avaya 4602 Night Flow Criteria Service Network: User: Device: To. D: Application: Media: Signaling: Routing: Security: Vo. IP VLAN Support Avaya 4602 Day No IM, No Video SRTP, G 729 TLS SP 1 Protect floods Data VLAN Service Application: Media: Signaling: Routing: Security: IM, Video RTP, G 711 TCP SP 2 Protect floods SP 1 SP 2 To. D and Priority Routing allows overall lower operation costs
Security and Interoperability in mixed environment IP PBX/Core SIP Providers Hard Phones Soft/Dual Mode Phones
L 7 granular policies Criteria IP PBX Functionality Vo. IP Firewall: Block Network: User: Device: Data VLAN Support Nokia E 61 Mobile Phone Rogue Device Data VLAN Vo. IP VLAN Criteria Network: User: Device: Functionality Vo. IP VPN: No crypto Vo. IP Firewall: G 711, No NAT Vo. IP IPS: Protect against stealth attacks on phone Anti-spam: Protect against Spam Internet Functionality Criteria Network: User: Device: Internet Support Nokia E 61 41 © 2007 Sipera Systems, Inc. All Rights Reserved. Data VLAN Support Mobile Phone Remote/Mobile Users Vo. IP VPN: TLS/SRTP Vo. IP Firewall: Low BW, Remote NAT Block Video Vo. IP IPS: Protect against stealth attacks on phone Anti-spam: Protect against Spam Corporate Overview
– Wi-Fi phones/Softphones • User mobility – Shared office spaces To D • Address all dimensions of UC • Not just networks • Not just users • Device mobility User Multi-Dimensional UC Policies ice Dev Network
Policy Enforcement: Centralized UC Policies Enterprise IP PBX IP Phones Soft Clients Vo. IP VLAN Wi. Fi/Dual Mode Phones Data VLAN Internet SP Partner Click-to-Talk Hard Phone Dual-mode Phone Request S O U R C E F L O W § § Network Device User Time of Day S O U R C E P O L I C Y § § § App Media Routing Security Signaling Apply Routing D E S T § F L § O § W§ Network Device User Time of Day D E S T P O L I C Y § § App Media Security Signaling
Policy Control: Network, Device, User, To. D Enterprise IP PBX Determine Network IP Phones Soft Clients Wi. Fi/Dual Mode Phones Vo. IP VLAN Data VLAN Internet Flow Criteria Determine Network Internet Partner SP Hard Phone Determine Device Determine User Determine To. D Determine Device Soft Clients Click-to-Talk Hard Phone Dual-mode Phone Wi. Fi/Dual Mode
UC Security Best Practices • Perform UC vulnerability assessment – Identify risks and potential vulnerabilities • Implement strong UC policies – Enforce signaling, media and application rules • Police UC security zones – Control access based on network, user AND device • Apply UC-specific threat protection – Backed by dedicated Vo. IP and UC security research – Understand user behavior to eliminate false +/- • Access control for UC – Strong two-factor authentication • Enforce strong encryption – All signaling and media must be encrypted for privacy
Real-time Security: Summary Against resource exhaustion Hardened Linux kernel, restricted access Application aware RED filters IPC, internal transport API Signaling and Media Do. S protection Stealth Do. S, Phone Do. S, Server Do. S Server, Endpoint protection Fine grained finger print, scrubber Call admission control (RTP, signaling) Anti spoofing TCP SYN cookies SIP finger printing SIV Self Defense Threat Mitigation Confidentiality Integrity Policies TLS, SRTP, DTLS, DES/3 DES/AES RSA two factor authentication • device + user parameters Logging SHA-1/MD 5 Mutual certificate auth Schema validation, Reverse HTTP proxy/Dir services Digitized content signatures – enablement of security checks Fine grained layer-7 policies Codec prioritization based on policy control Application inspection, dynamic control of firewall rules/ports CDRs – toll fraud/toll bypass detection
THANK YOU!! Ravi Varanasi Vice President, Engineering Sipera Systems. ravi@sipera. com 214 -269 -2437.
Скачать презентацию Secure Realtime Enablement of Unified Communications Ravi Varanasi
e7d47306737ed861056b77577e77c5b3.ppt