SIP security and the great fun with Firewall / NAT Bernie Höneisen SURA / ViDe, , Atlanta, GA (USA)

Similar documents
VoIP Security Threat Analysis

Ingate Firewall & SIParator Product Training. SIP Trunking Focused

Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues

Secure Telephony Enabled Middle-box (STEM)

Realtime Multimedia in Presence of Firewalls and Network Address Translation

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Realtime Multimedia in Presence of Firewalls and Network Address Translation. Knut Omang Ifi/Oracle 9 Nov, 2015

Modern IP Communication bears risks

MySip.ch. SIP Network Address Translation (NAT) SIP Architecture with NAT Version 1.0 SIEMENS SCHWEIZ AKTIENGESELLSCHAFT

Journal of Information, Control and Management Systems, Vol. X, (200X), No.X SIP OVER NAT. Pavel Segeč

The leader in session border control. for trusted, first class interactive communications

Department of Computer Science. Burapha University 6 SIP (I)

FreeSWITCH as a Kickass SBC. Moises Silva Manager, Software Engineering

Encryption setup for gateways and trunks

Network Address Translation (NAT) Contents. Firewalls. NATs and Firewalls. NATs. What is NAT. Port Ranges. NAT Example

Session initiation protocol & TLS

Configuring Encryption for Gateways and Trunks

ABC SBC: Securing the Enterprise. FRAFOS GmbH. Bismarckstr CHIC offices Berlin. Germany.

ABC SBC: Secure Peering. FRAFOS GmbH

Having fun with RTP Who is speaking???

Semester 1. Cisco I. Introduction to Networks JEOPADY. Chapter 11

LISTENING BY SPEAKING

Network Address Translation (NAT) Background Material for Overlay Networks Course. Jan, 2013

Secure Communications on VoIP Networks

Ingate SIParator /Firewall SIP Security for the Enterprise

Real-Time Communications for the Web. Presentation of paper by:cullen Jennings,Ted Hardie,Magnus Westerlund

Implementing SBC Firewall Traversal and NAT

Network Address Translators (NATs) and NAT Traversal

become a SIP School Certified Associate endorsed by the Telecommunications Industry Association (TIA)

What is SIP Trunking? ebook

IP Possibilities Conference & Expo. Minneapolis, MN April 11, 2007

Unified Communication:

10 Key Things Your VoIP Firewall Should Do. When voice joins applications and data on your network

P2PSIP, ICE, and RTCWeb

The SIP School ~ Mitel Style [based on MCD4.0]

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Application Note. Microsoft OCS 2007 Configuration Guide

secure communications

From POTS to VoP2P: Step 1. P2P Voice Applications. Renato Lo Cigno

An Efficient NAT Traversal for SIP and Its Associated Media sessions

Application Note 3Com VCX Connect with SIP Trunking - Configuration Guide

Chapter 5. Security Components and Considerations.

SIP and VoIP What is SIP? What s a Control Channel? History of Signaling Channels

Internet Networking recitation #

Outline. Goals of work Work since Atlanta Extensions Updates Made Open Issues Ad-hoc meeting & Next Teleconference Links

Application Notes for Configuring SIP Trunking between the Skype SIP Service and an Avaya IP Office Telephony Solution Issue 1.0

RP-FSO522 2-Line FXO, 2-Line FXS SIP IP Gateway. Feature

Overview of SIP. Information About SIP. SIP Capabilities. This chapter provides an overview of the Session Initiation Protocol (SIP).

Sonus Networks engaged Miercom to evaluate the call handling

Voice over IP. What You Don t Know Can Hurt You. by Darren Bilby

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

NAT Traversal for VoIP

Common Components. Cisco Unified Border Element (SP Edition) Configuration Profile Examples 5 OL

Application Note Asterisk BE with SIP Trunking - Configuration Guide

Advanced Computer Networks

Cisco Expressway with Jabber Guest

INTERFACE SPECIFICATION SIP Trunking. 8x8 SIP Trunking. Interface Specification. Version 2.0

MonAM ( ) at TUebingen Germany

Sample excerpt. Virtual Private Networks. Contents

Application Notes for Configuring Tidal Communications tnet Business VoIP with Avaya IP Office using SIP Registration - Issue 1.0

CTS2134 Introduction to Networking. Module 08: Network Security

Location Based Advanced Phone Dialer. A mobile client solution to perform voice calls over internet protocol. Jorge Duda de Matos

Installation & Configuration Guide Version 4.0

Frequently Asked Questions (Dialogic BorderNet 500 Gateways)

Internet Security: Firewall

Overview of the Session Initiation Protocol

The Session Initiation Protocol

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Security and Lawful Intercept In VoIP Networks. Manohar Mahavadi Centillium Communications Inc. Fremont, California

Configuration Guide IP-to-IP Application

PBX Data Sheet. Version 2.0. Product categories

TT11 VoIP Router 1FXS/1FXO TA User Guide

Virtual Private Networks.

SIP TRUNKING CARRIER CERTIFICATION OXE-SIP configuration

Chapter 11: It s a Network. Introduction to Networking

UCM6102/6104/6108/6116 Configuration

VoIP Basics. 2005, NETSETRA Corporation Ltd. All rights reserved.

Chapter 10: Security. 2. What are the two types of general threats to computer security? Give examples of each.

Request for Comments: Category: Standards Track Columbia U. G. Camarillo Ericsson A. Johnston WorldCom J. Peterson Neustar R.

Prof. Shervin Shirmohammadi SITE, University of Ottawa. Security Architecture. Lecture 13: Prof. Shervin Shirmohammadi CEG

Application Notes for Phonect SIP Trunk Service and Avaya IP Office 7.0 Issue 1.0

Internet Engineering Task Force (IETF) Request for Comments: E. Rescorla RTFM, Inc. May 2010

Deliverable D2.4: Literature Study and Survey on Applicable Technologies

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

CS519: Computer Networks. Lecture 7: Apr 14, 2004 Firewalls and NATs

Application Notes for Configuring CenturyLink SIP Trunking with Avaya IP Office Issue 1.0

OpenScape Business V2

Grandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide

A. On the VCS, navigate to Configuration, Protocols, H.323, and set Auto Discover to off.

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

Configure Basic Firewall Settings on the RV34x Series Router

VPN-1 Power/UTM. Administration guide Version NGX R

Request for Comments: 4504 Category: Informational Verizon C. Stredicke snom May SIP Telephony Device Requirements and Configuration

Wireless LAN Security (RM12/2002)

White Paper. SIP Trunking: Deployment Considerations at the Network Edge

Implementing Cisco IP Telephony & Video, Part 2 v1.0

Application Notes for Configuring Windstream SIP Trunking with Avaya IP Office - Issue 1.0

MS Lync 2013 Server Security Guide. Technical Note

Application Firewalls

Polycom RealPresence Access Director System

Transcription:

security and the great fun with Firewall / NAT Bernie Höneisen SURA / ViDe, 29.03.2006, Atlanta, GA (USA) 2006 SWITCH

Content and Firewall and NAT Privacy / Encryption SpIT / Authentication Identity General Internet Security 2006 SWITCH 2

Firewalls signalling and media transport is done peer-to-peer Media ports are negotiated per call The number of firewalls is growing (including personal FWs) Firewall rules get more restrictive One has to take special measures to allow communication through firewalls 2006 SWITCH 3

Some Ways to deal with Firewalls Open pin holes (statically) aware firewall dynamically open pin holes per session Stateful firewall outgoing traffic opens pin holes for corresponding incoming traffic Precondition: UA must support symmetric signalling and media Proxy Solution open pin holes just to dedicated hosts e.g. in DMZ» TURN Server» Mediaproxy / B2BUA 2006 SWITCH 4

Open Pin Holes in Firewall Internal Net Internet UA1 UA2 RTP 2006 SWITCH 5

aware Firewall Internal Net Internet UA1 1 2 3 UA2 RTP 4 1) INVITE arrives at Firewall 3) INVITE goes towards UA2 2) Firewall inspects INVITE message, and opens pin holes for RTP 4) RTP passes through the pin hole 2006 SWITCH 6

Stateful Firewall Internal Net Internet UA1 1 2 UA2 RTP 4 3 Precondition: UA must support symmetric signalling and media 1) INVITE goes through Firewall and opens a pin hole for reverse traffic 2) 200 OK can pass through this pin hole 3) After First RTP packet has gone through Firewall, the pin hole for reverse traffic is also open 4) Reverse RTP traffic can pass through this pin hole 2006 SWITCH 7

TURN Server Internal Net Internet UA1 (DMZ) 2 UA2 1 3 2 Default Outbound Proxy TURN Server 3 RTP 1) On request, the TURN Server returns a globally reachable IP/Port pair 3) RTP goes via TURN Server 2) goes via Default Outbound Proxy using this gained IP/Port pair 2006 SWITCH 8

Mediaproxy / B2BUA Internal Net Internet UA1 (DMZ) UA2 1 4 3 2 B2BUA 4 RTP 1) INVITE goes to B2BUA (B2BUA as Default Outbound Proxy) 3) Modified INVITE goes to UA2 On 200 OK, B2BUA applies the same man-in-middle attack 2) B2BUA applies a man-in-the-middle attack on INVITE 4) RTP is therefore re-routed via B2BUA 2006 SWITCH 9

Network Address Translation (NAT) Many networks are protected with a NAT box (shortage of IP addresses, firewall functionality) With IPv6 we don t need NAT anymore hopefully... time scale? Basic NAT operation: 2006 SWITCH 10

Some ways to overcome a NAT STUN Discover NAT and Firewall situation between UA and Internet Discover public IP Address (and port mapping rules) of NAT TURN Request a public IP/Port pair to proxy RTP streams ICE Provide in signalling many (ordered) alternatives, typically including also STUN and TURN The other side performs trial and error Mediaproxy / B2BUA man-in-middle attack to signalling All these solutions require UA to support symmetric signalling and media 2006 SWITCH 11

More ways to overcome a NAT UPnP Request NAT to open pin holes and return public IP/Port pair(s) Port forwarding Statically configure NAT to keep certain pin holes and bindings open aware NAT Let NAT inspect signalling and dynamically open the Pin Holes 2006 SWITCH 12

TURN Server Behind NAT Internet Behind NAT UA1 2 4 1) On request, the TURN Server returns a globally reachable IP/Port pair TURN RTP Proxy 1 TURN RTP 3 4 UA2 2) INVITE using this IP/Port pair goes to Proxy 3) INVITE goes to UA2 (Pin Hole has been kept open by Proxy) 4) RTP is therefore re-routed via TURN Server Pin holes on both sides are opened by first (RTP) packet 2006 SWITCH 13

ICE / STUN / TURN Behind NAT Internet Behind NAT 3 UA1 1 2 STUN UA2 1) UA1 discovers by STUN what kind of Firewall or NAT it is behind and what public IP address (and Port mapping rules) its NAT uses TURN 2) As a backup plan it requests a public IP/Port pair from TURN 3) UA1 sends the INVITE containing any gained information on how it could be contacted as ordered alternatives 4) UA2 later uses these alternatives for trial and error until it has a successful connection (not shown here) 2006 SWITCH 14

Mediaproxy / B2BUA Behind NAT Internet Behind NAT UA1 1) INVITE goes to B2BUA (default outbound proxy) 1 4 RTP 2 B2BUA 3 RTP 4 UA2 2) B2BUA applies a man-in-themiddle attack on INVITE 3) Modified INVITE goes to UA2 (Pin hole has been kept open by B2BUA) On 200 OK, B2BUA applies the same man-in-middle attack 4) RTP is therefore re-routed via B2BUA Pin holes on both sides are opened by first RTP packet 2006 SWITCH 15

Privacy, Encryption Wiretapping a based conversation is not easy As with PSTN, one needs physical access to the network But, gaining physical access to WLAN networks is easy 2006 SWITCH 16

Encryption (possible solutions) Signalling () End-to-End» S/MIME Hop-by-hop» S (require TLS on whole signalling path) Streams (RTP) SRTP Lower Layer solutions VPN, IPSec, TLS Wireless: WEP, WPA, 802.1X 2006 SWITCH 17

Spam over Internet Telephony (SpIT) Many VoIP services are free of charge or charged flatrate Sending pre-recorded messages to thousands of VoIP users within seconds is possible SpIT calls in the middle of the night Answering machine is full with SpIT Spam IMs will be a problem too 2006 SWITCH 18

SpIT Prevention (possible solutions) Client based solutions Closed User Groups» Trusted buddy lists Network based Solutions Web of trust Blacklisting Charging Mixed approaches Identity All solutions require some kind of trust relationship, e.g. CA (server and/or client certificates) shared secret 2006 SWITCH 19

Authentication Call hijacking associate a user s URI with another IP address» Stealing calls from someone else Identity theft Caller Identity faking» pretend to be someone else» Using (charged) services of someone else Man-in-the-middle attack Registration, call signalling and media should be authenticated 2006 SWITCH 20

Authentication (possible solutions) Signalling () Basic Authentication (deprecated!) Digest Authentication (challenge - response) S/MIME S Identity Streams (RTP) SRTP Lower Layer solutions TLS IPSec All solutions require some kind of trust relationship, e.g. Shared secret CA (server and/or client certificates) 2006 SWITCH 21

Identity (draft-ietf-sip-identity-06) IETF proposal (Standards Track) in RFC Editor queue messages are signed by sending UA or local (Outbound) Proxy If Proxy signs the message (on behalf of the user)» the UA authenticates at Proxy e.g. with Digest Authentication over TLS Receiving party (Proxy or UA) verifies signature Certificate Authority (CA) 2006 SWITCH 22

Internet security VoIP systems are challenged by the well known Internet security threats: (Distributed) Denial-of-Service Viruses, worms, Buffer overflow attacks VoIP will most probably not be as reliable as the PSTN This is the price we pay for new functionality/services and lower costs ;-) 2006 SWITCH 23

Questions / Discussion 2006 SWITCH 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback