Real-time Communications Security and SDN 2016 [Type here]
Securing the new generation of communications applications, those delivering real-time services including voice, video and Instant Messaging, is a challenge. Enterprises and service providers working with network infrastructures and cyber security policies designed for data driven applications are experiencing this challenge. To add to this, new technologies, Network Function Virtualisation (NFV) and Software Defined Networking (SDN) are now deployed to support the ever growing bandwidth requirements. Will adding these new technologies to networks already struggling to secure the current generation of applications push the goal of an effective cyber security even further away, or can these technologies bolster security for Unified Communication services? The Evolution of Real-Time Communications (VoIP, UC, IOT) For the last 15 or more years, real-time communication services, voice and video calls plus Instant Messaging (IM), have undergone a rapid and dramatic evolution. This evolution started when PBX vendors realised that adopting IP networking as a basis for their core products gave them the ability to enhance their products and to deliver new features more quickly. This triggered the appearance of a range of IP-PBX products using IP networking to connect handsets to the PBX operating within the same location. At this stage telephony services were still provided via ISDN connections, so the benefits stopped at the enterprise network boundary. The next evolutionary step was the introduction of SIP trunks, using IP networking to deliver a company s phone service. This enabled a greater range of services to be delivered at a lower cost. A new set of service providers emerged, Internet Telephony Service Providers, whose agility enabled them to introduce new Voice over IP (VoIP) services and to win business that traditionally would have gone to the incumbent telco. The evolutionary process did not stop there. VoIP services have now matured into Unified Communication (UC) services combining a range of applications into a single integrated communication service. While communications services have developed, the necessary parallel development of security services has not. A significant percentage of operational VoIP and UC systems are operating with a security model that was appropriate when telephony services were provided by national telecom carriers using private networks. Today, VoIP and UC services operate over IP networks including the public Internet. The trust models of the Internet and traditional telecom networks are radically different. The inevitable result is that VoIP and UC networks with their feature applications are under constant attack. A significant number of systems are falling victim to these attacks. The results include expensive call fraud attacks, service loss, leakage of confidential information and failure to meet legal data protection and compliance requirements. Page 2 of 9
If the risk of fraudulent calls racking up tens of thousands of dollars in charges is not a board level problem, then the potential fines imposed by data protection authorities for a security breach certainly are. There have been some attempts to address the VoIP and UC security challenge. In the early millennium a new product category emerged. This was the Session Border Controller (SBC). Although SBC s were at the time a good effort, they owe too much to the telecom security model based around SS7 infrastructure and not enough to the Internet security model. As evidence of this, UM Labs has audited a number of VoIP and UC deployments running wellknown brands of SBC and has found that the security provided, fails on a number of accounts, falling short of the level necessary to operate safely in an IP network. Observed problems include: SBCs providing no effective security other than a simple source IP address check which a $50 router can offer. SBCs, Application Gateways, Proxy Gateways are all failing to implement layered security, deployed there is no interaction between the levels of network, application or content, so that even the basic source IP address controls could be circumvented. SBCs allowing remote users to connect to an enterprise IP-PBX and make calls without positively identifying and authenticating the user. SBCs failing to detect and block a call fraud attack. SBCs unable to provide an encryption services to protect the confidentiality of calls and as a consequence failing to meet legal requirements for compliance. The Need for a Paradigm Shift UM Labs was founded to develop new technologies for securing real-time communications (incl. VoIP and UC systems). It quickly became apparent that the evolutionary approach that had driven the development of UC applications, would not deliver an effective solution. What was needed was a paradigm shift, a new approach to securing VoIP and UC applications. This approach had to recognise the impact of the Internet security model on real-time communications. The architectural approach adopted by UM Labs was based on many years of experience in designing and building IP security products for data applications, but recognising the constraints imposed by the real-time nature of VoIP and UC. Page 3 of 9
It was also apparent that an effective security platform has had to operate within a changing network environment. Data centre technology was moving away from racks full of dedicated hardware and embracing virtualisation. This triggered the need to manage service operation within the virtualised environment. Software Defined Networking (SDN) became the solution to this problem. To quote Techtarget: Software-defined networking (SDN) is an umbrella term encompassing several kinds of network technology aimed at making the network as agile and flexible as the virtualized server and storage infrastructure of the modern data centre. The goal of SDN is to allow network engineers and administrators to respond quickly to changing business requirements. SDN which in turn enables Network Function Virtualisation (NFV) was conceived to enable networks to meet the ever growing demand for more bandwidth. VoIP and UC services providers and enterprises deploying these services clearly need the benefits of SDN. To build an effective set of security controls for VoIP and UC applications, UM Labs have adopted a software architecture able to deliver the level of security needed, and for a set of applications which have evolved from a telecom orientated service, operating safely within the Internet trust model. The same architecture is aligned to the SDN deployment model. Page 4 of 9
UM Labs Architecture The UM Labs real-time communications security platform is built on a layered architecture. The foundation is a hardened operating system configured to run on all popular virtualisation hosts and cloud services. This foundation provides an environment for a set of multi-level security controls. The security platform is controlled by a management layer, which provides a set of management interfaces. The foundation layer and the management layer combine to enable the platform to operate within a SDN environment. SDN Interfaces Management Layer Content Security Layer Application Security Layer Network Security Layer Hardened Operating System UM Labs Platform Host Cloud Secure Foundation A secure foundation is essential for any security system. The UM Labs platform is built on a hardened Linux operating system using design principles derived from building generic IP firewalls and application security systems. These design principles conform to the security constraints needed to meet the Common Criteria EAL4 level of security certification. The Common Criteria scheme is an international security certification scheme. In the USA the Common Criteria scheme is administered by NIAP, a joint venture between the NSA and NIST. EAL4 certification is applicable in those circumstances where developers or users require a moderate to high level of independently assured security. Page 5 of 9
The platform s underlying operating system is configured to enable deployment on all popular visualisation host operating system and cloud services. The platform takes advantage of supporting services provided by the host environment, obtaining essential operating parameter such as network interface configuration details from that environment. Layered Security The security threats facing real-time communications (VoIP and UC systems) are multi-levelled. Securing those systems requires multi-levelled security technology. Network level security addresses the IP level threats faced buy all IP connected applications and systems. The need for IP Network security for data application is well established. There is a whole industry devoted to developing data firewalls to protect against threats at this level. VoIP and UC applications run on the same IP networks as data applications and therefore need the same protection. The security threats at the IP Network level include: Denial of Service attacks (Dos) and distributed DoS attacks. Flooding attacks Malformed packet attacks Port scanning and service enumeration attacks DoS attacks, attacks designed to disrupt a network service, are a growing problem. Businesses with an Internet presence are a common target where the attack can be motivated by a political protest or for financial gain. The obvious question is: if firewalls are designed to protect data applications from DoS attacks, can they do the same for real-time communication (VoIP and UC) applications? The answer is no, because the protocols used for VoIP and UC are not firewall friendly. Configuring a firewall to handle SIP and the related protocol used to handle audio and video streams in calls, the Realtime Transport Protocol (RTP), means opening up a large port range. This reduces the firewall's security to a level where a competent firewall administrator would not want to apply the necessary configuration. The only effective way to implement the necessary IP security controls is as part of a comprehensive real-time communication (VoIP and UC) security product. Page 6 of 9
Application level security controls threats aimed directly at the VoIP, Video, IM (UC) protocols and applications. The complexity of these protocols means that there is a long list of potential threats. These threats can be combated only by implementing a range of security controls directed at the application level. In UC terms this means targeting security controls at the protocol messages responsible for functions such as tracking the status of connecting devices and managing calls. The security threats at the application level include: Denial of Service attacks (Dos) and distributed DoS attacks. Flooding attacks Malformed message attacks Directory harvesting attacks Authentication attacks Call fraud attacks Protocol violation attacks DoS attacks at the application level include flooding attacks, where the targeted system is flooded with requests, and also more subtle attacks where smaller numbers of invalid messages are sent with the aim of disrupting a service. Content level security protects the content delivered by UC applications. This includes voice and video calls, text and other content delivered via Instant Messaging applications and meta content such as presence information indicating the availability status of colleagues. All of these content types are potential attack targets. The most obvious attack is eavesdropping, listening in on voice and video calls or monitoring presence data to gather information on the identity of users. There are also a number of more subtle attacks including: Media injection (replacing or disrupting voice or video streams) Media level denial of service attacks Call Hijacking attacks (taking over one leg of an established call) Page 7 of 9
System Management and SDN The system management layer provides multiple interfaces for installing, configuring and monitoring the UM Labs platform. The primary interfaces are a REST API to enable configuration and monitoring of the platform s real-time communication (VOIP, UC) security policy and integrated SDN support to simplify deployment and to strengthen the security controls. The UM Labs real-time communication (VoIP and UC) Security platform is a complete software package including a hardened operating system and the layered security controls needed to protect VoIP and UC application systems and to ensure that those systems operate within current compliance regulations. The platform will run in all popular virtualisation environments and cloud services. Integrated SDN support ensures that instances of the platform may be installed on demand with each instance using SDN functions or specific functions provided by the cloud service hosting the platform to map the network environment and to apply the appropriate configuration. The UM Labs platform extends the use of SDN beyond simple deployment management. The platform functions by detecting security threats and taking the appropriate blocking action. Threat detection and blocking actions are implemented at multiple levels. In many cases the most efficient method of blocking a threat is to implement the blocking action at a lower level that the threat detection. As an example a call-fraud attack can only be detected at the application level, but the most efficient blocking mechanism is to instruct the network security layer to implement the blocking action. The UM Labs platform includes this level of feed-back between threat detection and blocking action at all 3 security levels. SDN enables this feedback to be extended into the cloud. When a threat is detected, the UM Labs platform is able to use SDN technology via protocols such as Openflow to instruct other network components or systems to block the source of the detected threat. The UM Labs security architecture for real-time communication (VoIP and UC) applications using a new design based on IP security principles and implementing layered security controls as a cloud-deployable software platform is a natural fit for SDN. UM Labs maximise the benefits of SDN by taking advantage of the benefits that SDN offers to simplify deployment and by using SDN functions to ensure that other components in the network are configured to supplement the security for all real-time communication (VoIP and UC) applications. Page 8 of 9
Independent regulation authorities in Europe that direct service providers have stated clearly, security within the SDN paradigm is a challenge, as all layers, sub-layers and components need to communicate according to strict security policies. Some of the new challenges on protecting SDN relies on the main features of this paradigm: centralization, abstraction and programmability. Efforts and advances are being done in order to improve the trust between third party applications and the controller, a better cross domain connection, implementing correct isolation of traffic and resources and integrating and improving the compatibility of legacy protocols. UM-Labs design follows a bottom-up approach by estimating threats that exploit more traditional network components that will be extrapolated to assumed SDN/NFV levels. UM- Labs by design have implemented a rules based stack to work with SDN and the 7-layer OSi model, because of this, the design is not taking any one-layer design and hoping the virtualisation delivers an integrated approach. Page 9 of 9