Security and Lawful Intercept In VoIP Networks Manohar Mahavadi Centillium Communications Inc. Fremont, California
Agenda VoIP: Packet switched network VoIP devices VoIP protocols Security and issues in VoIP networks CALEA
VoIP: Packet Switched Network Modem Media Gateway Broadband Network Internet PSTN Modem Router DSLAM PC VoIP Phone POTS Phone
VoIP Devices Media servers Call controllers Conferencing servers Text-to-speech (TTS) servers Voice or video servers Media gateways Analog (PSTN) IP (VOIP) H.323 ISDN IP ATM, TDM IP
VoIP Devices Security devices Firewalls Intrusion detection systems (IDS) Intrusion prevention systems (IPS) VPN gateways Switching and routing devices End points SIP user agents Terminals Soft-phones
VoIP Protocols Signaling protocols Call configuration and management Call setup and teardown, call control Capability exchange Codecs, tones, etc. Supplementary services Conferencing, call forwarding, call transfer H.323 protocol suite ITU-T standard Mature, well-deployed but complex Session initiation protocol (SIP) IETF standard Upcoming, gaining popularity and simple
VoIP Protocols Data protocols Real-time transport protocols (RTP) RFC 1889 Transport of voice and video over UDP Support for packet loss discovery and ordered delivery Sequence# Support for delay and jitter calculations Timestamp RTP control protocol (RTCP) RFC 1889 Periodic exchange of control information Sender reports, receiver reports, source description Optional encryption prefix for DES
VoIP Protocols: H.323 Architecture Terminal Endpoint on a network providing real-time communications with other devices, including gateways, MCUs and gatekeepers Implements one or more codecs Example: Microsoft NetMeeting Multipoint controller unit (MCU) Manages multipoint conferences between three or more end points Multipoint controllers (MC) handle call control Capability set to all participants, join-in/drop-out managing Multipoint processors (MP) (optional) Perform media exchange in a conference Processes the actual media streams
VoIP Protocols: H.323 Architecture Gateway Protocol conversion between H.323 networks and other networks such as ISDN or PSTN (packet networks and circuit switched networks) Acts as terminal on packet network side and mode on circuit network side Ability to set up and terminate calls Provides translation Data format Control signal Audio and video codec Gatekeeper Central management and control services Registration of terminals, gateways and MCUs Address translation, access controls, bandwidth management, routing
VoIP Protocols: SIP Architecture SIP user agents Endpoint or end-station Client/server architecture User agent client and user agent server SIP servers Proxy server Maintains current locations of registered user agents and helps in-call management Incoming call forking to multiple locations Logs information for billing and information Redirect server Provides name resolution and user location Does not participate in call establishment SIP registrar Provides location information service
VoIP Support Protocols DNS Name resolution, address conversion TFTP Software downloads and file transfer SNMP Management and configuration DHCP Dynamic address allocation RSVP QoS allocation SDP Sharing of client session abilities
Security Issues in VoIP Scams In June 2006, federal authorities arrested a Miami man for reselling Internet telephone service by hacking into lines of legitimate telephone companies Piggybacking since VoIP is not secured
Security: Basic Requirements Privacy Encryption: symmetric and asymmetric keys DES 3DES AES Integrity MD5, HMAC-MD5 SHA-1, HMAC-SHA-1 Authentication RADIUS PKI Digital certificates
Security: Network Security Threats DOS attacks CPU resource starvation Service degradation or disruption Random TCP, UDP or ICMP packets on random ports Example: packets with urgent flag Bogus messages Premature termination Control packet flood Securing a packet is not relevant and not a cure
Security: Network Security Threats Call interception and hijacking DNS poisoning SIP uses SRV records to locate SIP services Call redirection: SRV record changes pointing to servers rather than actual ones ARP spoofing (cache poisoning) MAC address manipulation Session hijacking due to rerouting Session interception and message tampering Encryption for mitigation
Security: Enforcement Firewalls Network layer: Source address, destination address Application layer: FTP, HTTP, e-mail, etc. Stateful firewalls: Inbound responses to outbound requests permitted Network address translation (NAT): Internal IP address shielding Intrusion detection and reporting Counter-based Traffic-anomaly-based Logging and reporting False alarms Intrusion prevention Detect and drop Detect and throttle Dynamic reconfiguration
Security: Enforcement Systems Virus scanning E-mails with attachments File downloads and piggybacking Scan, detect and quarantine Logging and reporting VPN gateways Secure tunnels between gateways Bulk encryption Road warriors remote access
Security: Network-based Soft-phone Media Gateway LAN Internet PSTN IDS/IPS Firewall Firewall IDS/IPS VoIP Phone POTS Phone
Security: Host-based MS Firewall MS Anti-virus Modem Media Gateway Broadband Network Internet PSTN PC Modem VoIP Phone DSLAM Router w/firewall Firewall IDS/IPS POTS Phone
Security: Software Techniques Application Layer EMAIL FTP NFS MS Word User name Password S/MIME Presentation Layer Session Layer Transport Layer TCP UDP SSL TSL Network Layer IPSEC Data Link Layer Physical Layer
S/MIME Protocol Secure multipurpose Internet mail extensions Enables secure transmission, storage and authentication of data Applications Electronic Data Interchange over Internet (EDI-INT) Storage and transfer of bank statements, financial forms, etc. Electronic billing and payments, online sales, etc. Secure patient records and record management
SSL/TLS Protocols Secure sockets layer (SSL) developed by Netscape Transport layer security (TLS) IETF standard (RFC2246) based on SSL 3.0 SSL and TLS used for point-to-point application security Not interoperable: TLS or SSL negotiated in the beginning Applications Remote access for management and control Secure account management Travel reservations
IPSEC Protocol Secures data through insecure channels Policy-based enforcement (hosts, applications, etc.) Tunnel mode of operation Between gateways, creating tunnel connecting two or more networks Encrypts payload and header of IP packets Transport mode of operation Between end points or between an end point and gateway Encrypts payload of IP packet only Applications VPNs connecting geographically separate networks Bulk data transfers Mobile users/road warriors
IPSEC: Protocols Authentication Header (AH) IP Header Data New IP Header AH IP Header Data Tunnel Mode Authenticated IP Header Data Transport Mode IP Header AH Authenticated Data
IPSEC: Protocols Encapsulating Security Payload (ESP) IP Header Data New IP Header ESP Header IP Header Data ESP Trailer ICV Tunnel Mode ESP and AH Encrypted Authenticated IP Header Data IP Header ESP Header Data ESP Trailer ICV Transport Mode ESP and AH Encrypted Authenticated
Understanding LI/CALEA Surveillance Model
Understanding LI/CALEA The intercept function is viewed as five broad categories Access function One or more intercept access points (IAPs) Delivery function Call content channels (CCCs) and call data channels (CDCs) Collection function Collecting and analyzing intercepted communications Service provider administration function Controlling the TSP access and delivery functions Law enforcement administration function Controlling the LEA collection function
Understanding LI/CALEA Circuit IAP for a Two-way Communication
Understanding LI/CALEA Packet IAP for a Two-way Communication
LI/CALEA Model for TDM_PKT_CHNL Law Interception (LI) on Circuit (TDM) or Packet (PKT) Channel for TDM_PKT_CHANNEL TDM_PKT _CHANNEL TAP TRAFFIC COMING TO PKT NP Packetizer LI TDM Legacy Phone A DSP EC Encoder D Decoder D NP Packetizer UnPacketizer NP IP Phone B NP Packetizer TAP TRAFFIC COMING FROM PKT) LI PKT
LI/CALEA Model for PKT_PKT_CHNL Law Interception (LI) on Packet (PKT) Channel for PKT_PKT_CHANNEL (e.g., wireless hands-off) DSP TDM_PKT_CHNL Encoder Packetizer Decoder UnPacketizer NP A IP Phone DSP TDM_PKT_CHNL Encoder Packetizer Decoder UnPacketizer NP B IP Phone DSP Encoder Packetizer PKT_PKT_CHNL NP LI_B DSP Encoder Packetizer PKT_PKT_CHNL NP LI_A
LI/CALEA Model For TDM_PKT_CONF_CHNL CALEA Model with Conferencing