ToIP PROTECTION ITEM DESCRIPTION V2.1

Transcription

1 ToIP PROTECTION ITEM DESCRIPTION V2.1 Edition 4.0 p. 1/58 RSS/SSI/TeS/DCF/FH-PhD,07/32 September 2009 Les informations contenues dans ce document demeurent la propriété du groupe THALES and ne doivent pas être divulguées par le destinataire à des tiers sans l accord écrit de THALES. Information contained in this document is the exclusive property of THALES Group and cannot be disclosed to a third party by the user without written authorisation given by THALES Communications

2 1. TOIP AND SERVICE SECURITY ToIP architectures and protocols Introduction H.323 protocol SIP (Session Initiation Protocol) MGCP (Media Gateway Control Protocol) Proprietary technologies ToIP services ToIP security: background and stakes From ISDN to ToIP The challenges The security stakes and 2010: the critical years 9 2. WHAT PROTECTION FOR TOIP? Functional security blocks Network segmentation Access control at the edge of the data network Access control at the edge of the telephony network Network authentication Integrity and confidentiality of signaling and communications Server and application authentication Core filtering in front of servers: stream safety Focus: an application-layer filter to protect ToIP servers SBC, edge firewall, application-layer firewall Edge firewalls Session Border Controller (SBC) Application-layer protection for servers Conclusion TEOZ: APPLICATION-LAYER SECURITY SOLUTION FOR TOIP TMZ: a sanctuary for voice and video applications TMZ TMZ partitioning Two filtering levels Real-time IP application-layer analysis: Protocol Expert Module (PEM) Stateful IP filtering Application-layer analysis Contextualized signatures IDPS Synthesis ToIP threats Examples in Layers Usage analysis and control: Session Expert Module (SEM) Description Supported protocols SEM module actions Examples of threats prevented by the SEM function Network functionalities IP translations Routing Connectivity, VLAN, aggregation Quality of Service (QoS) DHCP Date and time High availability (clustering) 43 2 / 58

3 3.5.1 Principle VRRP (state protocol) Active/Passive mode Active/active mode Cluster supervision High Availability (OXE spatial redundancy) Hardware technology Licenses PEM module administration Secured access Configuration tool Supervision Logs Master/slave supervision architectures SEM module administration Updates Updating the software Updating IDPS Synthesis TEOZ 2000 and TEOZ Hardware characteristics Security-safety TEOZ 2000 performance TEOZ 3500 performance Alcatel-Lucent inter-operability CONTACT INFORMATION 58 3 / 58

4 1. ToIP and service security 1.1 ToIP architectures and protocols Introduction H.323 protocol The H.323 protocol is the ITU Standard for audio-visual communication sessions on any IP network transmission. The H.323 protocol is currently associated with additional standards as H.225 (signaling) and H.245 (codec selection). To complement fax and data, RTP (Real-time Transport Protocol) is used for sending or receiving multimedia information. Further standards, as H450, provide supplementary services: call transfer, call forwarding, call hold, call waiting The H.323 system is composed of end-points, terminals, gateways, and gatekeepers (address resolution and bandwidth control). H.323 is the most commonly deployed ToIP (Telephony over Internet Protocol) protocol and is widely used within Internet real-time applications such as NetMeeting. However SIP (Session Initiation Protocol) will probably become the more prevalent protocol in the years to come SIP (Session Initiation Protocol) The SIP protocol is the IETF standard initially designed to create two-party or multiparty sessions. SIP is primarily used in ToIP applications; it is also used in application-layer sessions. The SIP roadmap allows its use in other media streams as video conferencing, video according to the development policy of the manufacturers. SIP is a text-based protocol, similar to HTTP, which can run on TCP, UDP or SCTP. SIP includes end-points (terminals, user agents (UA) ), proxy servers or redirect servers, location servers and registrars. These last two servers can be hosted in the proxy server. SIP has been selected as ToIP protocol for the fixed-mobile convergence of the IMS (IP Multimedia Subsystem) architecture defined by 3GPP and was then accepted for the TISPAN architecture as designed in ETSI. TISPAN and IMS have chosen other solutions for ToIP security: SIP is using TLS for TISPAN and is using IPSec for IMS MGCP (Media Gateway Control Protocol) MGCP is a client-server protocol developed by Telcordia and Level 3 Communications, unlike SIP and H.323 that operate in peer-to-peer or client-client modes. MGCP was first used by American cable operators who wished to add phone services to their cable TV offerings. MGCP is a stimulus protocol, the endpoints being "low-intelligence" devices: the protocol is only used to carry keystroke information from the subscriber s set to a central server. The server will then interpret the keystrokes to execute the corresponding actions. This protocol can then be used with all (analog or digital) terminals already installed at the clients facilities, and ToIP services can be deployed without impacting the existing terminal population. Similarly, ADSL Internet access providers and Centrex IP operators use this protocol: the central server controls the subscriber s set. 4 / 58

5 1.1.4 Proprietary technologies Although standard protocols as SIP are the most widely used, the offers of many ToIP providers are based on proprietary technologies. Example: Cisco: Skinny Client Control Protocol (SCCP or Skinny) Nortel: Unisteam Mitel: Minet Alcatel-Lucent: Universal Alcatel (UA) Siemens: Hipath Feature Access (HFA) These protocols often derive from ISDN technologies and consist in a transition to IP, their objectives are to: Keep a functional phone system, identical to the existing ISDN, that what the standard protocols were not capable of at the beginning Ensure smooth transition from ISDN to IP Ensure a captive market for terminals The related architectures vary widely from one provider to another, although the components are the same for all technologies. As the SIP protocol becomes mainstream and develops with manufacturers offering full SIP offers such as Aastra or Avaya proprietary technologies may lose ground. However, in 2009, proprietary technologies are still used and represent the lion s share of corporate customers. 1.2 ToIP services As we use a telephone every day, this technology seems to be rather simple. However, the services provided by PABX, then by IPBXs, are complex and numerous, and depend on the manufacturers. Moreover, additional services as CTI (Computer Telephony Integration), and connections to IP applications are available. The main telephone services are: Black lists Recall Hold Call transfer Multi-party conference Call trace Calling line identification presentation Caller ID block Authentication IVR (Interactive Voice Response) Tone management (hold, transfer ) Messaging Interface conversion (Trunking mode) Vocoder conversion IPBX interconnection 5 / 58

6 1.3 ToIP security: background and stakes From ISDN to ToIP In ISDN architectures, voice and data applications are strictly separated: Distinct networks Distinct terminals Distinct services And distinct threats ISDN PBX ISDN WAN IP (MPLS) Figure 1: RNIS architecture With ToIP, this is no longer the case: Integrated networks (at least at the hardware level) Pooled terminals Converged services And shared threats IPBX WAN IP (MPLS) ISDN Figure 2: ToIP architecture Although simple in appearance, convergence will be the source of complexities, first in terms of infrastructure, service and information security The challenges We have to face it: ToIP is intrinsically vulnerable, because of several factors such as: Migration to IP. Telephony is becoming a common application in its design, which uses standard software components that do not integrate security requirements. The component vulnerability is then transmitted to telephony applications. Number of network elements implemented: a ToIP infrastructure will use several hundreds to several tens of thousands of network elements (routers, switches, servers, terminals ). Each one being a potential entry point for threats. Especially, ToIP terminals are functionally similar to computers, with operating systems, stacks, http services, ftp services this phenomenon is further accelerated by the development of virtual terminals (softphones). Hacking the iphone through SMS reveals the potential weakness of terminals in an infrastructure. 6 / 58

7 Variety and complexity of protocols: whether they are standard or proprietary, the complexity of ToIP protocols is far greater than the protocols currently used in data applications: semantics, sequencing and successions of multi-protocol sessions required for communication. This is no longer the question-response mode currently used for data exchanges. Besides, most of standard protocols are open, and offered in various implementation configurations, according to the manufacturers, with proprietary extensions. SIP is therefore renowned for its misleading simplicity. Interconnection with data networks: by construction, partition of voice and data networks is limited. To benefit from service convergence, resources, as directories, messaging, or DNS and DHCP services, will have to be shared. Integration can be further extended for softphones, instant messaging, CTIs. Voice and data services are susceptible to their mutual vulnerability, with possible crosscontamination. Availability and Quality of Service (QoS) specifications are also to be considered, and telephony services must meet our daily requirements. ToIP must meet these expectations in an open environment. Telephony is also critical for companies: any malfunctioning may lead to loss of revenues, loss of opportunities and loss of efficiency. Moreover, emergency calls should be made at any time, to meet safety obligations and address personrelated hazards. Service availability is a key point, even though alternative solutions such as messaging, e-business, mobile telephony, and collaborative work, etc. are spreading rapidly. Finally, there is a great rush to market products and services based on ToIP. Rapid development and short time-to-market are decisive for the providers work. Comprehensive and native security implementation is considered, whether right or wrong, as a complication factor that slows down availability. As a result, fraud and attacks increase significantly: these new means of communication are diverted from their original use, and their weaknesses are exploited The security stakes They are classified in four categories: Confidentiality 1. Signaling confidentiality, which is too often disregarded. Non-encrypted signaling allows the network topology, stream matrixes, applications and protocols to be discovered and attack strategies to be developed. 2. Communication confidentiality: to protect the strategic data of the company (know-how, strategy, finances, commercial offers, litigations, conflicts ) that can be used in fierce economic competition, whatever the field of activity and size of the company (this issue is often neglected by too many companies) and to protect personal data (privacy) exchanged during phone conversations. This is the case for administrations (income tax and social services, health services, legal services ), and private sector (banks, insurance companies, human resource departments ). Many States require confidentiality of personal data stored and exchanged in information systems, including phone systems. Traditional telephony is considered as safe because we assume that tapping is not possible without physically acting on the devices. IP communications are vulnerable to call interceptions (tapping) as other IP applications, especially if voice and data applications and networks are not sufficiently segmented. In addition, segmentation (VLANs) is not the ultimate solution. 7 / 58

8 Availability The purpose of ToIP is to deliver the % availability of ISDN telephony. If the new technological base seems to be unable to deliver this availability, the target is however 99.99%, which is high for a computer application. To achieve this performance, suitable resilient architectures will be implemented, with related energy supply and air conditioning. Unavailability due to aggressive streams or behaviors must also be prevented. Migration to IP makes the availability of the phone service more vulnerable to internal and external denials of service. Because of the sensitivity of telephone systems, a slightly downgraded Quality of Service makes the application unavailable: attacks are much more subtle than bandwidth saturation. Such attacks may alter the traffic and prevent access to the company s data. There are two ways of generating denial of service attacks in ToIP: o Making unavailable by saturation, freeze or isolation the resources indispensable for the application operation (call server, directory, DNS ). Note: for ToIP, saturation can be achieved with a low bit rate, or a great number of connections, therefore attacks can be rather furtive. o Discouragement of use: making the terminals ring randomly until call pickup is abandoned; downgrading the communication quality by changing codecs or introducing jitter; aborting calls by introducing latency or interfering on packet routing. Finally, denial of service can occur upon technical failures, especially when using low-cost technologies of insufficient maturity (e.g. some SIP terminals). Fraudulent, unlawful or abusive use The abusive use of telephone services charged to companies is already widespread in ISDN technology: call forwarding to premium-rate or international numbers, conference bridges to connect external subscribers free of charge The objective is not only to detect fraudulent use e.g. intrusion in the system for mercantile purposes but also to detect abusive use of their rights by authorized subscribers. Identity fraud This is related to confidentiality and fraud. It involves identity spoofing or stealing the personal details of a user either to have access to unauthorized rights or privileges, or to deceive a correspondent. Besides direct risks, there is a risk to compromise the trust in financial and state certifications (SOX, Bale II, LOF ) by weakening the non-repudiation mechanisms. Civil and penal responsibility It deals with the liability of Organization A whose ToIP system would be hacked to harm Organization B. In this case, and according to the losses, Organization B is entitled to have Organization A condemned, and to ask for civil remedies by law. Risks in terms of finance and image can be substantial. Therefore Organization A must detect intrusions and stepping-stone attacks beforehand, and in case of an attack as security is not infallible demonstrate its goodwill. Nuisances like SPAM SPIT (Spam over Internet Telephony) and SPIM (Spam over Instant Messaging) may become nuisances for ToIP. In comparison, more than 90% of s are now considered as SPAM, and there is no reason that this be different for ToIP and instant messaging. 8 / 58

9 and 2010: the critical years In computer security, it has been demonstrated that, when a new application is widely deployed, it takes about 3 years for the protection and security aspects to be considered. This is due to the following reasons: Rush to market Time necessary for the actors to apprehend the application vulnerability, deployment, impact and interactions with infrastructures, and induced uses and behaviors The year 2009 is a milestone for ToIP: during seminars, customers are no longer asking if ToIP must be secured, instead they are rightfully asking: what do you suggest to secure ToIP?. Similarly, quality of protection becomes a selection issue for ToIP systems, with significant impact for the manufacturers. Besides, this 3-year delay is also observed in hacking. Most intrusions or frauds are no longer committed by individuals for notoriety, but are attempted by criminal organizations, strictly for mercantile purposes: stolen data or topology information can be sold to third parties or serve for blackmail (e.g. denial of service or disclosure). These operations require comprehensive knowledge of applications, which takes time and requires investments for their development, with risk-taking in their execution. The return on investment must be sufficient; two main factors can be considered: Criticality level of the application for the Organization: coverage rate, maturity, embedment in the IS, and impact on operations. This will determine the marketing and blackmail value of the data. Extent of computer population: wide application coverage results in increased vulnerability and higher profits from frauds. Three to four years are required for these two parameters to become mature: this is the case in 2009 and / 58

10 2. What protection for ToIP? 2.1 Functional security blocks The next figures summarizes the main components of ToIP protection: Servers authentication Integrity and confidentiality of communications Streams safety Call servers Hiding, translation («peering») Network authentication ISDN Integrity and confidentiality of signaling IP WAN (MPLS) Voice/data/video/administration segmentation Figure 3: bricks for protection Access control to network, NAT, pinholing Network segmentation To avoid stepping-stone attacks from the data network to the voice network, streams will be segmented into different virtual (if not physical) networks. There are four virtual networks: voice, data, video, and administration. This is achieved through VLAN technologies. If this measure is necessary and of common sense it is far from being sufficient, even if some users do believe it. There may exist bridges between these 3 VLANs: To benefit from convergence, some applications will be used by ToIP services/terminals, and by data services/terminals as well: messaging, directories, DNS, DHCP. Some terminals can give access to both voice and data networks. E.g. PCs with softphones. A voice/data/video infrastructure for corporate customers will implement several hundreds to several thousands of routers, switches, gateways that will be configured to support VLANs. Is there any network operator to claim that VLAN configuration will be perfect and coherent any time? Even though the VLAN configuration would be ideal, Inter-VLAN bridging is easy for experienced technicians. 10 / 58

11 2.1.2 Access control at the edge of the data network This is the current edge firewall, which often exists before ToIP implementation. The ToIP functionalities required for this firewall are limited to the border (see 4.3) Access control at the edge of the telephony network We have two situations to consider: peering (network interconnection) and filtering (access control) specific to voice streams. For peering, there are two functional needs: Hiding the Organization network from the operator and vice versa. This will require advanced NAT functions, more complex than the functions proposed by edge firewalls. Translating the protocols used in the Organization network into those used in the operator network, and vice versa. Some networks may use Session Border Controllers (SBC) (see 4.3.). For specific filtering, we can use a voice application firewall Network authentication It is possible to use a protocol as the 802.1x protocol, currently offered by providers Integrity and confidentiality of signaling and communications These services are provided by stream encryption. All providers currently propose stream encryption, activated by default or not, the key point being the impact on deployments and performances. Free encryption services must not be trusted, because their performances are not constant: hardware will have to be changed or added, and not free of charge. Several technologies are available: Ipsec, SIP-TLS for signaling SRTP for communications Server and application authentication Network authentication is not enough. An effective solution must ensure that only authorized terminals connect to ToIP services: this is signaling encryption. This is achieved through sharing of certificates and encryption keys Core filtering in front of servers: stream safety This block will provide complex content control functions and call session control functions that cannot be ensured by edge firewalls. This function is useful in front of servers, because it controls all data streams between terminals and servers and between servers. Only an application-layer filter, specific to ToIP, is capable of meeting this requirement. 11 / 58

12 2.2 Focus: an application-layer filter to protect ToIP servers As we have seen in the previous chapters, a security package for ToIP must address all threats pertaining to IP as well as to ISDN. Most security packages currently available with the ToIP label focus on the IP aspects (often partially), and just extend standard solutions of network security packages to telephone applications, without considering the specific threats to systems and protocols and their particularities. An application-layer protection mechanism for ToIP must be multi-functional to address all levels of protection (see 4.3.3). 2.3 SBC, edge firewall, application-layer firewall Firewall, application-layer analysis, SBC as seen in Section 4.1 Functional security blocks, these three components are required to efficiently protect ToIP services. They are, however, not interchangeable, in spite of what some providers might make believe, source of confusion for users. The purpose of this section is to clarify the definition of each of these items Edge firewalls These devices were developed in the 90 s when companies were connected to the Internet. The purpose was to protect companies intranets from potential threats due to the Internet and to control incoming and outgoing streams. Firewalls were designed to decide what network traffic should be let through or blocked, through Internet or MPLS connections: what protocols, ports, and addresses to control? Firewalls have generally limited or inexistent content control functionalities, because this control level is resource consuming. To be effective, edge filtering would require controlling all protocols accessing to the network at that point. As a result, the size would need to increase, with significant risks of congestion. How and where to deny service to voice protocols by blocking POP3 or http traffic? Besides, firewall engines were designed to handle simple protocols, which operate on a request-response mode, as http or POP3. They are therefore not suited to complex ToIP protocols and sessions. The ToIP functionalities of the firewalls can be broken down into two categories: Dynamic opening and closing of secondary communication ports (pinholing). Edge firewalls are often already installed when ToIP is deployed, and users do not want to change them. ToIP uses successive protocol sessions to establish and maintain communications: first a primary session (e.g. signaling) with predictable characteristics (protocols, ports ) that can be included in the firewall filter. However, the primary session is used to initiate secondary sessions (e.g. communications) with random characteristics especially ports that have been defined during the primary session. Therefore, we have two possible situations: o The edge firewall is not able to decode the data exchanged during the primary session: by default, all communication ports likely to be used by the secondary communications will have to be opened. This is canceling the border filter otherwise outgoing/incoming communications could not get through the firewall. This situation prevailed for first ToIP deployments. 12 / 58

13 o The edge firewall is able to decode the data exchanged during the primary session: only the necessary ports are dynamically opened at the start of the secondary session, and closed at the session s end. Related security flaws are then suppressed. Network Address Translation in Layer 7 ToIP protocols send address data in Layer 3 as well as in Layer 7. Addresses are often private on the LAN and therefore will be translated into public addresses at the border for routing over the operator s or ISP network (NAT: Network Address Translation). If the edge firewall in charge of this function performs NAT in Layer 3 only, the private addresses will remain in Layer 7 and communications could not be established. NAT will have then to be performed in Layer 7 also. That was not the case in original edge firewalls. These two functionalities are the only ones absolutely necessary in edge firewalls, and are therefore the only ones to be implemented. They require retrieving the data available in Layer 7 (application-layer). Many providers propose firewalls with application-layer analysis capabilities, which is abusive, because no security control is performed at that level, but only research or modification of parameters. Security controls operate in Layers 3 and 4. As pinholing and NAT do not allow the progress of application-layer sessions to be controlled, which is the purpose of application-layer analysis, they do not need to be implemented at the border Session Border Controller (SBC) SBCs are border devices. Unlike edge firewalls described in the previous chapter, they are located at the border of the voice infrastructure, at the connection of the operator s SIP or H.323 trunk. The SBC role is fundamentally the interconnection of Internet networks (peering). SBCs are provided with a suitable functional application content, to cover the following needs: Network topology hiding: the Organization must not know the network of its operator and vice versa. This is achieved through advanced NAT functions that can hide data other than address data. Protocol translation: for the transparent interconnection of networks that do not use the same protocols or same protocol implementations (e.g. SIP to H.323, or SIP A to SIP B ). Traffic and user management: o Application routing: e.g. for incoming calls, with SIP, to softswitches. o Managing overflows: e.g. routing too many outgoing calls to Internet or PSTN connections. o Call/session admission control o SIP registrar and RAS Gatekeeper. Originally, SBCs were used to interconnect operators networks. With the arrival of the H.323 trunk, then SIP trunk, functional needs now exist for companies/operators interconnections Application-layer protection for servers Although they operate at the application level, SBCs are not designed to be used in the infrastructure core, i.e. to protect servers. Their functional strong points (see previous section) are of limited use. 13 / 58

14 Application-layer protection for servers will focus on the following aspects: Precision analysis of protocol streams: to ensure session syntax, consistency, and integrity: o Checking the content and format of packets and packet fields. o Checking the consistency and integrity of a primary session on Protocol A. o Checking the opening of the secondary sessions (Protocols B, C ) started by Protocol A. o Checking the consistency and integrity of secondary sessions (Protocols B, C ). o Checking the consistency of secondary sessions (Protocols B, C ) with what was expected during the primary session (Protocol A). ToIP protocols, sessions and session links are much more complex than what was previously known in data services. Suitable engines will have to be implemented and the protocol technologies used by the providers will have to be precisely known. Finally, standard protocols (SIP ), proprietary protocols and proprietary extensions of standard protocols will have to be comprehensively considered. Fight against fraud, abusive use, SPIT This service can be provided at protocols: telephone session parameters (E.164 numbers, call directions, time stamp, codecs ) will have to be retrieved and compared to specific rules. This requires advanced analysis capability of protocols, and the implementation of a specific engine, different from the engine that handles protocols. Support of back office streams For an efficient and comprehensive operation that has minimum impact on the infrastructure operation, the application-layer filter will be capable of managing protocols or streams that can only be seen at the servers (e.g. CSTA phases 2 and 3 and redundancy streams). Support of ToIP traffic profiles The application-layer filter deployed in front of ToIP servers will be sized and tested according to traffic profiles very different from what is know at the network border. The filter will allow server restart i.e. simultaneous reconnection of all terminals to servers within a short time. The platform will therefore not be sized to throughput data (traditional performance indicator for firewalls and IDPS), but to very short and very aggressive session bursts. Real-time stream processing The ToIP application-layer filter will have no impact in terms of latency and jitter, key parameters for the quality of the phone services. Therefore, the filter will especially implement: o Processor technologies specialized in network and security, with sets of specialized instructions: multi-purpose industrial PCs will thus be excluded. o Software architecture that optimizes processing operations. o Advanced hardware/software integration. o Low use of hardware resources to avoid congestion areas, including during the most critical burst phases. High availability The application-layer security solution will be included in the ToIP SLA, including 99.99% availability. It will offer functionalities to achieve this rate. Contractual agreements between manufacturers and ToIP providers will include this requirement. 14 / 58

15 Integration, validation, simulation capabilities The manufacturer of the ToIP application-layer security solution will be provided with laboratories able to reproduce actual client environments: o Complete systems with related applications o Skills for realistic and binding configuration setting o Simulations tools for traffic and providers terminals, for realistic simulation of the behavior of a real infrastructure Cooperation with ToIP providers Only close cooperation with ToIP providers will meet these requirements: o Access to detailed technical specifications o Advanced access to technical developments (roadmaps synchronization) o Access to R&D expertise o Access to test and simulation environments o Implementation of suitable support and escalation processes Anyway, reverse engineering is potentially very risky for end-users Conclusion Edge firewalls, SBCs and application-layer security solutions have distinct characteristics and purposes: their functional contents are therefore different. Some confusion may remain, sometimes created by providers. Strictly in terms of presence/absence of functions, these three items may seem equivalent. If the lists of functions can be similar, the completeness and maturity level of each solution make them not interchangeable. Checking the presence or absence of a function is not enough: this function must be weighted according to its quality. We then obtain a functional center of gravity that varies from one solution to the other. The next figure illustrates the positioning of each solution: Performance Edge FW TEOZ SBC Routing QoS Data protocols Analysis engine Voice protocols Network interconnection Figure 4: functional weighting 15 / 58

16 As a conclusion, the next figure summarizes the position of each item: Voice / Video servers SBC Distant subscribers Voice IP WAN Firewall Distant subscribers Data IP WAN / Internet Figure 5: positionning in the network 16 / 58

17 3. TEOZ: application-layer security solution for ToIP TEOZ is an application-layer security solution for ToIP: it is designed for the sole purpose of protecting the applications critical to ToIP. TEOZ is embedded in the Organization s network to create a Trusted Multimedia Zone (TMZ) that hosts sensitive devices as servers. The next sections describe the notion of TMZ and the proposed application-layer security services offered to IP and telephony systems. 3.1 TMZ: a sanctuary for voice and video applications TMZ As described in the first part of this document, multimedia applications and especially ToIP will become the next major target for attacks, due to Quality of Service sensitivity and fraud potential. Application availability is critical for the Organization and has strong psychological effects. Therefore, suitable security mechanisms should be implemented, at the organizational and architectural levels and at the technical level as well. These measures must be more consistent than those currently available for data or messaging services, which accept downgraded Quality of Service. Attacks to ToIP can be launched from outside, however, in view of what has been happening in computer networks for several years, many attack have been and will be launched from inside the infrastructure, either directly or by using an internal active component as stepping-stone. To secure ToIP availability and Quality of Service, all active elements, including terminals, will be considered as sources of potential (intentional or unintentional) attacks. Thus, security of ToIP applications must not only be considered at the infrastructure border, but also at the core, i.e. as close to the services to be protected as possible. Each active element, each terminal, is likely to generate or relay attacks. Therefore, efficient filtering must be provided between applications and users, and between applications themselves. Streams will be analyzed on all network interfaces, between applications and users (subscribers or cooperative applications), and applications will be isolated in a dedicated network area called the Trusted Multimedia Zone (TMZ). The TMZ is therefore a sanctuary for vulnerable servers. 17 / 58

18 Figure 6: Trusted Multimedia Zone TMZ partitioning In the simplest situation, all services necessary to a ToIP application are dedicated to this application, including the directory, DNS and messaging, which are separated from data application services. Then, they may be positioned in a common TMZ. However, according to the level of convergence required by the Organization, some services could be pooled between voice and data applications (e.g. directory, messaging and DNS). In this case, the TMZ could be partitioned into several sub-areas (e.g. two): One for applications dedicated to ToIP: call managers, ToIP DHCP, data saving One for voice and data pooled services: messaging, DNS, directory TEOZ will be positioned on the LAN, at the center of a triangle formed by the LAN and the two sub- TMZs. TEOZ will then be able to filter the streams between the LAN and TMZ, and between both sub- TMZs Two filtering levels The TMZ is created through the creation of a second filtering stage, at the infrastructure core, which complements the edge filter. The two filtering stages are the following: 1 st stage: o At the data border: access control to network (what protocols, ports and addresses to control?) o At the voice border: access control to network and peering as applicable (advanced NAT and protocol translation) 2 nd stage. At the core: content control (syntax, consistency of packets and protocol sessions) These architectures are composed of two filtering levels border and core and are already well known in other critical applications as web services (https, soap, XML ), FTP or SQL databases. Anyway, core filtering is achieved through specialized items (web firewalls, SQL firewalls, FTP firewalls ) different from border items. It is also interesting to note that these specialized items are designed and marketed by specific providers, because their business models are different from edge firewalls. The TMZ notion, created with TEOZ, is applicable to another critical application: ToIP. 18 / 58

19 Web services e-business erp / crm HTTP, XML, SOAP app. filter FTP(s) services FTP app. filter Databases SQL app. filter ToIP Unified comm. internal users IP WAN The use of specialized items is already standard for critical applications PSTN Figure 7: the two filtering levels 3.2 Real-time IP application-layer analysis: Protocol Expert Module (PEM) The solution is based on this set of services. The Protocol Expert Module is a firewall (IDPS) dedicated to voice and video applications. It is characterized by a comprehensive knowledge of standard protocols (SIP, H.323, MGCP, RTP, RTCP, SDP ) and its capability of embedding analysis modules of proprietary (Alcatel-Lucent ) or specific (CSTA ASN.1) protocols. The main advantages of the PEM technology are: Implementation of different protection techniques working in synergy to protect network, application and content layers High performances through the consistency of the seamless integration architecture of analysis engines Homogeneous administrative environment (graphical interface) The main security functions implemented in the PEM are: Stateful IP filtering: o State engine for Layers 3 & 4 o Authorization/denial of protocols, ports, addresses o Dynamic opening/closing of ports Analysis of IP application layers: o Compliance analysis of protocol syntax (compliance with RFCs or proprietary specifications) o Compliance analysis of application protocol behavior 19 / 58

20 o Protocols supported: SIP, MGCP, H.323, RTP, RTCP, RTSP, CSTA, SSL, SNMP, SQLnet, Netbios, DNS, FTP, TFTP, HTTP, proprietary protocols IDPS based on contextual signatures The engine used by the PEM is the first real-time technology that combines stateful IP filtering techniques and application-layer analysis techniques. The protection is based on stream analysis at the level of the inter-application communication protocols. RFC or proprietary specification compliance is used to detect attacks such as: Redirection Call interception Denial of services However, if compliance with specifications ensures communication quality, the specifications are not defined with system security in mind. As a result, some attacks do not violate protocol specifications. Checking the compliance of protocols with their expected behavior will allow the following attacks to be blocked: Encapsulation of peer-to-peer protocols (instant messaging, file sharing, communications ) Directory browsing, where a hacker can get control over an HTTP service by using abnormal requests in the URL Buffer overflows due to unusually long requests Transport of malicious data in application-layer requests (code injection, use of reserved bytes ) By analyzing applications and controlling their operation, the analysis engine defines the expected behavior. Violation of security rules generates a preventive action (active response) and/or an alert message to the administrator. Unlike strictly reactive methods (based only on signatures), the engine protects the ToIP system against unknown and complex attacks. The PEM is frequently updated to keep up with the evolution of protocols and add new protocol tests. Protocol-specific rules can also be configured: Restrict/ban commands Restrict parameters (request sizes ) This level of control is configured by the administrator. An analysis module (each protocol is associated with its own module) acts as a configuration object that can be associated with a service, the parameters of which are defined by the administrator Stateful IP filtering This section describes the specifications of IP filtering and the checks performed at the different OSI layers, up to the Transport Layer. The specifications of application-layer checks (up to OSI Layer 7) are described in / 58