Security and Lawful Intercept In VoIP Networks. Manohar Mahavadi Centillium Communications Inc. Fremont, California

Similar documents
Chapter 11: Understanding the H.323 Standard

TSIN02 - Internetworking

VoIP Basics. 2005, NETSETRA Corporation Ltd. All rights reserved.

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

VoIP. ALLPPT.com _ Free PowerPoint Templates, Diagrams and Charts

TODAY AGENDA. VOIP Mobile IP

CSC 6575: Internet Security Fall 2017

Introduction. H.323 Basics CHAPTER

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Overview of the Session Initiation Protocol

Media Communications Internet Telephony and Teleconference

H.323. Definition. Overview. Topics

Multimedia! 23/03/18. Part 3: Lecture 3! Content and multimedia! Internet traffic!

Part 3: Lecture 3! Content and multimedia!

CSC 4900 Computer Networks: Security Protocols (2)

Multimedia Applications. Classification of Applications. Transport and Network Layer

IP Security. Have a range of application specific security mechanisms

TCP/IP Networking. Training Details. About Training. About Training. What You'll Learn. Training Time : 9 Hours. Capacity : 12

IPSec. Overview. Overview. Levente Buttyán

Outline Overview Multimedia Applications Signaling Protocols (SIP/SDP, SAP, H.323, MGCP) Streaming Protocols (RTP, RTSP, HTTP, etc.) QoS (RSVP, Diff-S

AP500 4-Port FXS VoIP Gateway

AP-SAV100 Analog Voice Intercom

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Secure Telephony Enabled Middle-box (STEM)

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

Firewalls, Tunnels, and Network Intrusion Detection

Cisco ATA 191 Analog Telephone Adapter Overview

13. Internet Applications 최양희서울대학교컴퓨터공학부

Department of Computer Science. Burapha University 6 SIP (I)

AccessEnforcer Version 4.0 Features List

Network Security. Thierry Sans

Gigabit SSL VPN Security Router

Sample Business Ready Branch Configuration Listings

Ingate Firewall & SIParator Product Training. SIP Trunking Focused

Network Encryption 3 4/20/17

AP800 TM PSTN Backup 4-Port FXS VoIP Gateway High Performance VoIP Gateway Solution

Voice over IP. What You Don t Know Can Hurt You. by Darren Bilby

ETSF10 Internet Protocols Transport Layer Protocols

Kommunikationssysteme [KS]

AP Port Analog VoIP Gateway High Performance VoIP Gateway Solution

Troubleshooting Voice Over IP with WireShark


AP1100FA 4-Port FXS 4-Port FXO VoIP Gateway High Performance VoIP Gateway Solution

The IPsec protocols. Overview

Smart IAD. User s Guide

Cisco 5921 Embedded Services Router

IP Security. Cunsheng Ding HKUST, Kong Kong, China

Computer Security. 12. Firewalls & VPNs. Paul Krzyzanowski. Rutgers University. Spring 2018

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

Transporting Voice by Using IP

Vendor: Convergence Technologies Profession. Exam Code: TT Exam Name: Convergence Technologies Professional 2007.

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Packetizer. Overview of H.323. Paul E. Jones. Rapporteur, ITU-T Q2/SG16 April 2007

AP2650PMG PTT Media Gateway High Performance PTT Media Gateway Solution

CTS2134 Introduction to Networking. Module 08: Network Security

SS7 VoIP Gateway Solution

Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,

Virtual Private Networks

GLOSSARY. Advanced Encryption Standard. Cisco Adaptive Security Appliance. Business-to-business. Binary Floor Control Protocol.

Sample excerpt. Virtual Private Networks. Contents

see the Cisco SPA100 Series Administration Guide for details. The configuration profile is uploaded to the Cisco SPA122 at the time of provisioning.

VPN-1 Power/UTM. Administration guide Version NGX R

Overview. Slide. Special Module on Media Processing and Communication

Configuring Hosted NAT Traversal for Session Border Controller

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

Summary of last time " " "

HP Instant Support Enterprise Edition (ISEE) Security overview

Real Time Protocols. Overview. Introduction. Tarik Cicic University of Oslo December IETF-suite of real-time protocols data transport:

Overview of SIP. Information About SIP. SIP Capabilities. This chapter provides an overview of the Session Initiation Protocol (SIP).

BCRAN. Section 9. Cable and DSL Technologies

VoIP Security Threat Analysis

An Overview of the Cisco Unified IP Phone

An Overview of the Cisco Unified IP Phone

IP Possibilities Conference & Expo. Minneapolis, MN April 11, 2007

Mohammad Hossein Manshaei 1393

Virtual Private Networks (VPN)

AP-GS808S 8-Port GSM VoIP Gateway High Performance GSM VoIP Gateway Solution

OneXS will provide users with a reference server (IP, FQDN, or other means to connect to the service). This must be obtained before setup can begin.

Lecture 14: Multimedia Communications

Virtual Private Network

Approaches to Deploying VoIP Technology Instead of PSTN Case Study: Libyan Telephone Company to Facilitate the Internal Work between the Branches

Seminar report IP Telephony

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Chapter 8 roadmap. Network Security

Basic Architecture of H.323 C. Schlatter,

AP1100FN 4-Port FXS 4-Port FXO VoIP Gateway High Performance VoIP Gateway Solution

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings)

Networking interview questions

Security Assessment Checklist

Interworking Signaling Enhancements for H.323 and SIP VoIP

PROTOCOLS FOR THE CONVERGED NETWORK

Internet. 1) Internet basic technology (overview) 3) Quality of Service (QoS) aspects

Network Interconnection

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0

Introduction to Networking

1 SIP Carriers. 1.1 LightBound Warnings Vendor Contact Vendor Web Site:

AP2620IVR IVR VoIP Gateway High Performance IVR VoIP Gateway Solution

RTP. Prof. C. Noronha RTP. Real-Time Transport Protocol RFC 1889

Security+ SY0-501 Study Guide Table of Contents

Transcription:

Security and Lawful Intercept In VoIP Networks Manohar Mahavadi Centillium Communications Inc. Fremont, California

Agenda VoIP: Packet switched network VoIP devices VoIP protocols Security and issues in VoIP networks CALEA

VoIP: Packet Switched Network Modem Media Gateway Broadband Network Internet PSTN Modem Router DSLAM PC VoIP Phone POTS Phone

VoIP Devices Media servers Call controllers Conferencing servers Text-to-speech (TTS) servers Voice or video servers Media gateways Analog (PSTN) IP (VOIP) H.323 ISDN IP ATM, TDM IP

VoIP Devices Security devices Firewalls Intrusion detection systems (IDS) Intrusion prevention systems (IPS) VPN gateways Switching and routing devices End points SIP user agents Terminals Soft-phones

VoIP Protocols Signaling protocols Call configuration and management Call setup and teardown, call control Capability exchange Codecs, tones, etc. Supplementary services Conferencing, call forwarding, call transfer H.323 protocol suite ITU-T standard Mature, well-deployed but complex Session initiation protocol (SIP) IETF standard Upcoming, gaining popularity and simple

VoIP Protocols Data protocols Real-time transport protocols (RTP) RFC 1889 Transport of voice and video over UDP Support for packet loss discovery and ordered delivery Sequence# Support for delay and jitter calculations Timestamp RTP control protocol (RTCP) RFC 1889 Periodic exchange of control information Sender reports, receiver reports, source description Optional encryption prefix for DES

VoIP Protocols: H.323 Architecture Terminal Endpoint on a network providing real-time communications with other devices, including gateways, MCUs and gatekeepers Implements one or more codecs Example: Microsoft NetMeeting Multipoint controller unit (MCU) Manages multipoint conferences between three or more end points Multipoint controllers (MC) handle call control Capability set to all participants, join-in/drop-out managing Multipoint processors (MP) (optional) Perform media exchange in a conference Processes the actual media streams

VoIP Protocols: H.323 Architecture Gateway Protocol conversion between H.323 networks and other networks such as ISDN or PSTN (packet networks and circuit switched networks) Acts as terminal on packet network side and mode on circuit network side Ability to set up and terminate calls Provides translation Data format Control signal Audio and video codec Gatekeeper Central management and control services Registration of terminals, gateways and MCUs Address translation, access controls, bandwidth management, routing

VoIP Protocols: SIP Architecture SIP user agents Endpoint or end-station Client/server architecture User agent client and user agent server SIP servers Proxy server Maintains current locations of registered user agents and helps in-call management Incoming call forking to multiple locations Logs information for billing and information Redirect server Provides name resolution and user location Does not participate in call establishment SIP registrar Provides location information service

VoIP Support Protocols DNS Name resolution, address conversion TFTP Software downloads and file transfer SNMP Management and configuration DHCP Dynamic address allocation RSVP QoS allocation SDP Sharing of client session abilities

Security Issues in VoIP Scams In June 2006, federal authorities arrested a Miami man for reselling Internet telephone service by hacking into lines of legitimate telephone companies Piggybacking since VoIP is not secured

Security: Basic Requirements Privacy Encryption: symmetric and asymmetric keys DES 3DES AES Integrity MD5, HMAC-MD5 SHA-1, HMAC-SHA-1 Authentication RADIUS PKI Digital certificates

Security: Network Security Threats DOS attacks CPU resource starvation Service degradation or disruption Random TCP, UDP or ICMP packets on random ports Example: packets with urgent flag Bogus messages Premature termination Control packet flood Securing a packet is not relevant and not a cure

Security: Network Security Threats Call interception and hijacking DNS poisoning SIP uses SRV records to locate SIP services Call redirection: SRV record changes pointing to servers rather than actual ones ARP spoofing (cache poisoning) MAC address manipulation Session hijacking due to rerouting Session interception and message tampering Encryption for mitigation

Security: Enforcement Firewalls Network layer: Source address, destination address Application layer: FTP, HTTP, e-mail, etc. Stateful firewalls: Inbound responses to outbound requests permitted Network address translation (NAT): Internal IP address shielding Intrusion detection and reporting Counter-based Traffic-anomaly-based Logging and reporting False alarms Intrusion prevention Detect and drop Detect and throttle Dynamic reconfiguration

Security: Enforcement Systems Virus scanning E-mails with attachments File downloads and piggybacking Scan, detect and quarantine Logging and reporting VPN gateways Secure tunnels between gateways Bulk encryption Road warriors remote access

Security: Network-based Soft-phone Media Gateway LAN Internet PSTN IDS/IPS Firewall Firewall IDS/IPS VoIP Phone POTS Phone

Security: Host-based MS Firewall MS Anti-virus Modem Media Gateway Broadband Network Internet PSTN PC Modem VoIP Phone DSLAM Router w/firewall Firewall IDS/IPS POTS Phone

Security: Software Techniques Application Layer EMAIL FTP NFS MS Word User name Password S/MIME Presentation Layer Session Layer Transport Layer TCP UDP SSL TSL Network Layer IPSEC Data Link Layer Physical Layer

S/MIME Protocol Secure multipurpose Internet mail extensions Enables secure transmission, storage and authentication of data Applications Electronic Data Interchange over Internet (EDI-INT) Storage and transfer of bank statements, financial forms, etc. Electronic billing and payments, online sales, etc. Secure patient records and record management

SSL/TLS Protocols Secure sockets layer (SSL) developed by Netscape Transport layer security (TLS) IETF standard (RFC2246) based on SSL 3.0 SSL and TLS used for point-to-point application security Not interoperable: TLS or SSL negotiated in the beginning Applications Remote access for management and control Secure account management Travel reservations

IPSEC Protocol Secures data through insecure channels Policy-based enforcement (hosts, applications, etc.) Tunnel mode of operation Between gateways, creating tunnel connecting two or more networks Encrypts payload and header of IP packets Transport mode of operation Between end points or between an end point and gateway Encrypts payload of IP packet only Applications VPNs connecting geographically separate networks Bulk data transfers Mobile users/road warriors

IPSEC: Protocols Authentication Header (AH) IP Header Data New IP Header AH IP Header Data Tunnel Mode Authenticated IP Header Data Transport Mode IP Header AH Authenticated Data

IPSEC: Protocols Encapsulating Security Payload (ESP) IP Header Data New IP Header ESP Header IP Header Data ESP Trailer ICV Tunnel Mode ESP and AH Encrypted Authenticated IP Header Data IP Header ESP Header Data ESP Trailer ICV Transport Mode ESP and AH Encrypted Authenticated

Understanding LI/CALEA Surveillance Model

Understanding LI/CALEA The intercept function is viewed as five broad categories Access function One or more intercept access points (IAPs) Delivery function Call content channels (CCCs) and call data channels (CDCs) Collection function Collecting and analyzing intercepted communications Service provider administration function Controlling the TSP access and delivery functions Law enforcement administration function Controlling the LEA collection function

Understanding LI/CALEA Circuit IAP for a Two-way Communication

Understanding LI/CALEA Packet IAP for a Two-way Communication

LI/CALEA Model for TDM_PKT_CHNL Law Interception (LI) on Circuit (TDM) or Packet (PKT) Channel for TDM_PKT_CHANNEL TDM_PKT _CHANNEL TAP TRAFFIC COMING TO PKT NP Packetizer LI TDM Legacy Phone A DSP EC Encoder D Decoder D NP Packetizer UnPacketizer NP IP Phone B NP Packetizer TAP TRAFFIC COMING FROM PKT) LI PKT

LI/CALEA Model for PKT_PKT_CHNL Law Interception (LI) on Packet (PKT) Channel for PKT_PKT_CHANNEL (e.g., wireless hands-off) DSP TDM_PKT_CHNL Encoder Packetizer Decoder UnPacketizer NP A IP Phone DSP TDM_PKT_CHNL Encoder Packetizer Decoder UnPacketizer NP B IP Phone DSP Encoder Packetizer PKT_PKT_CHNL NP LI_B DSP Encoder Packetizer PKT_PKT_CHNL NP LI_A

LI/CALEA Model For TDM_PKT_CONF_CHNL CALEA Model with Conferencing

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback