Regional Seminar on Internet Protocol: VoIP Algiers Algeria, 19-20 March 2007 Optimal Integration of IP-based Technologies and VoIP Security Challenges Désiré Karyabwite, IP Coordinator ICT Applications and Cybersecurity, ITU/BDT The views expressed in this paper are those of the author and may not necessarily reflect the opinions of the ITU or its membership..
Table of Contents 1. Introduction 2. Challenges of Change: VoIP and other IP-based services and Security aspects 2.1 Changing business models 2.2 VoIP/IP Telephony Minutes Trading and Exchange 2.3 Implementing VoIP security for ITU-T H.323 Systems 3. Conclusion 2
1. INTRODUCTION 3 ICTs Application and evolution in France
Strategy and Priorities Providing assistance in technical and policy aspects of Internet Protocol (IP). Assisting in technical and policy aspects of e-applications and e-services (e-government, e-education, e-health, e- Agriculture, e-commerce etc.) Enhancing security and trust in the use of public networks. Implementing projects on MCTs and multipurpose platforms (MPPs). Enhancing ICT literacy and building awareness on the potentials of ICTs. Promoting the establishment of a favourable legal environment for ICTs. 4
Resolution 50 (Doha, 2006) Optimal integration of information and communication technologies The World Telecommunication Development Conference (Doha, 2006), considering a) the role of ITU, in particular the specific functions of the ITU Telecommunication Development Sector (ITU-D); b) the disparity between those who have and those who do not have access to information and communications technologies (ICT), referred to as the "digital divide"; recognizing a) ITU's role as a catalyst, and in particular that of ITU-D as coordinator and promoter of the rational use of resources in the context of the various projects intended to narrow the digital divide; b) that the integration models supported by the ITU Member States are an element that integrates, facilitates and does not exclude, one which takes into account the individual characteristics of all existing projects, respecting their autonomy and independence; c) that the integration models propose ways to increase the profitability of existing infrastructure, to lower the cost of developing and implementing ICT projects and platforms, to provide for the sharing of expertise and skills, and to foster intraregional and extraregional technology transfers, Resolves 5 1 that the Telecommunication Development Bureau (BDT) adopt all necessary measures to implement regional projects derived from the non-exclusive integration models which it has acquired, to link all stakeholders, organizations and institutions of the various sectors in an ongoing relationship of cooperation in which information is disseminated over networks, so as to narrow the digital divide in line with the outputs of Phases 1 and 2 of WSIS; 2 that BDT use the funds at its disposal to attain that objective; 3 that BDT play a central role in this initiative; 4 that relevant testing be conducted in each of the six regions.
2. Challenges of Change: VoIP and other IPbased services and security aspects 2.1 Changing business models The global market for telecommunications is expanding rapidly. It is not a question of demand pull or supply push. Both are happening Residential Video Telephony: Allow end users to have video calls amongst each other. The end-user equipment could be a personal computer (PC), an IP-based videophone, or a 3G/4G enabled mobile phone. Fixed Mobile Convergence: Enable users to employ the same end equipment (predominantly mobile phone) in licensed wireless public networks outside homes and offices as well as unlicensed wireless private networks inside homes and offices where the network coverage is poor. 6
File Sharing Services: involve the exchange of audio and video files among networked peers. Streaming Services: provide live and on-demand display of audio and video files and broadcasts on end-user equipment like PCs, personal digital assistants (PDAs), or 3G/4G-enabled mobile phones in a real-time fashion by simultaneously downloading, buffering, and playing the file on the end-user equipment. Location Based Services (LBS) target the physical location of the user through global positioning service (GPS) or wireless networkenabled mechanisms in order to facilitate user-specific services/applications. 7 Presence Based Services (PBS) ensure personalization of modes of communication preferred by the user by defining the availability and receptiveness towards the modes.
8 http://www.skype.com/
http://www.voipbuster.com/en/index.html Andorra Georgia New Zealand Australia 100% Free*, Greece no call setup! Norway Max 20hrs per month of free calls. Click here for more info. For all other rates, click here Austria Belgium Bulgaria Canada Chile Colombia Croatia Cyprus Denmark Estonia Finland France Hong Kong Iceland Ireland Italy Japan Latvia Liechtenstein Luxembourg Malaysia Monaco Mongolia Netherlands Panama Peru Portugal Puerto Rico Singapore Slovenia South Korea Spain Switzerland Taiwan Thailand Venezuela 9
http://www.internetcalls.com/en/index.html 10 Andorra Georgia Norway Argentina Germany Panama Australia 100% Free, no call Gibraltar setup! Click here for more Poland info. For all Austria Hong other Kong rates, click herepuerto Rico Belgium Bulgaria Canada Chile China Colombia Croatia Cyprus Denmark Estonia Finland France Iceland Ireland Italy Japan Latvia Liechtenstein Luxembourg Malaysia Monaco Mongolia Netherlands New Zealand Russian Federation Singapore Slovenia South Korea Spain Sweden Switzerland Taiwan Turkey United Kingdom United States Venezuela
2.2 VoIP/IP Telephony Minutes Trading and Exchange a) Electronic market for VoIP minutes trading (arbinet case) 11 Arbinet is the leading electronic market for trading, routing and settling communications capacity. Members of the exchange, consisting primarily of communications service providers, buy and sell voice calls and Internet capacity based on route quality and price through its centralized, market place
12 International Telecommunication Union
c) VoIP Clearinghouse 13 AT&T Open Settlement Protocol (OSP) solution (AAA:authentication, authorization & accounting server). Clearinghouses provide Internet Services Providers (ISPs), VoIP, and Telecommunications operators with a complete solution, enabling them to offer VoIP /IP telephony, fax, and a range of value-added services. They act as intermediates for the financial settlement of IP Telephony/VoIP and fax traffic and guarantee payment to all members.
2.3 Implementing security for VoIP - ITU-T H.323 Systems 14 Network Architecture based on Local Exchange Carrier(LEC) for VoIP /IP Telephony
ITU-T H.323 deployment scenarios The Gateways (GW) provide many services, the most common being a translation function between H.323 conferencing endpoints and other terminal types. 15 A Gatekeeper (GK) is the most important component of an H.323-enabled network. It acts as the central point for all calls within its zone and provides call control services to registered endpoints. Multipoint Control Unit (MCU) supports conferences between three or more endpoints
Output to VoIP via E1 digital trunk from PSTN lines Conversion from standard analog subscribers to E1 Fixed-to-mobile conversion 16 Connecting old PBX to digital trunks
Data Loss Analysis of Breaches Listed on www.privacyrights.org 17
Building a Data Defensible Architecture 18
ITU-T H.235 Security for ITU-T H323 Systems H.235 provides cryptographic protection of the control protocols (H.225.0 and call signalling and H.245) as well as cryptographic protection of the audio/video media stream data. 19 The H.235 key management supports the classic point-to-point communication but also multipoint configurations with multicast units (i.e., MCUs) when several multimedia terminals communicate within a group.
Security issues in Multimedia and VoIP 20 Security threats in Multimedia communications
User and terminal authentification Server authentication User/terminal and server authentication countersecurity threats, such as masquerade, man-in themiddle, IP address spoofing and connection hijacking. Call authorization is the decision-making process Signaling security protection, addresses protection Voice confidentiality is realized through encryption of the voice packets Key management Interdomain security deals with the problem that systems in heterogeneous environments have implemented different security features 21
ITU-T Recommendation H.530 covers such security needs by addressing security aspects as: Mobile terminal/user authentication and authorization in foreign visited domains. Authentication of visited domain. Secure key management. Protection of signalling data between a mobile terminal and visited domain. In addition to H.235, H.350 and H.350.2 provide for scalable key management 22
Deploy Secure Data Replication Data Security Concern: 25 % of data replication is done over IP connections, and that number is growing significantly. Data is exposed over the unsecured network. Solution: Data protection gateways at either end of the connection can secure the data replication channel. This solution defends against a hack of the replication 23
Deploy Secure Backup Data Security Concern: Electronic archival to a remote tape storage site offers advantages over physically moving data ranging from guarantee of data delivery and faster data recovery to the ability to eliminate tape loss. But it also exposes the data as it travels over the network. Solution: High-speed encryption appliances can protect the backup data as it travels between storage sites. A protected continuous backup scheme offers cost savings over secure nightly tape backups and guarantees data is there when you need it. 24
Protect Storage Management Ports Data Security Concern: If the storage management port is hacked or breached, the hacker gains full control over the storage system and can move data off disk. Solution: The management system can be secured by isolating the storage management network and creating a protected virtual network over the network (a secure management zone). 25
Protect Data Over Private Line Services Data Security Concern: Companies are using thirdparty private line services to link remote locations. Not only are the lines unprotected and out of one s control, but accidental misconfiguration or compromise of network devices at the service provider could lead to inadvertent data loss. Solution: Data protection gateways can secure IP and Ethernet services over thirdparty networks. 26
Protect Data Over Mesh Network Services Data Security Concern: Companies are using mesh network services, but these suffer from the same security concerns as private line services. Solution: High-speed encryption at each customer edge secures the data as it travels over the mesh network. Plus, centralized and automated policy and key management will lower the TCO of the encrypted solution. 27
Secure the LAN from Any MAN/WAN Threat Data Security Concern: MANs or WANs that connect remote locations are potential entryways for hackers to access a corporate network and steal data. Solution: A deterministic firewall that rejects unauthorized packets from the MAN/WAN can secure it from unwanted access. A stateless firewall can isolate traffic between LANs. 28
Secure Network Inside the Network Data Security Concern: Virtual network technology provides data separation, but it doesn t secure the data as it travels over the network. Unauthorized insiders or outsiders may exploit OS or application vulnerabilities to compromise a system and steal sensitive information until detected. Solution: Use encryption technology to both separate and secure data on the network, providing secure virtual network between LANs. 29
Protect Point-to-Point Wireless Data Security Concern: Point-to-point wireless connections offer lower costs as a result of carrier toll bypass, but data sent over the air is exposed and can be stolen by a sniffing attack. Solution: The point-to-point wireless channel can be secured with high-speed IPSec or Ethernet encryption. 30
Protect End-to-End WLAN Traffic Data Security Concern: While 802.11x wireless network traffic is encrypted over the air, it is decrypted at the access point and travels unprotected from there. Even one exposed access point can give a hacker an unsecured link for an intrusion. Solution: Using client access and security 31 gateways, IPSec protection can provide protection end-to-end, from the client to a secure location or application.
3. Conclusion VoIP and many other IP-based services are incresing A Three-Step Implementation Roadmap: 1) Address primary network security threats by deploying IPSec encryption. IPSec is the most flexible and secure data protection technology and the best place to start. 2) Expand and extend data protection to Ethernet encryption and client access. IPSec appliances can protect vast amounts of data, but they may not work in all situations. Ethernet encryption and client access are the next natural steps in data protection solutions for data transported over non-ip protocols, for single users needing access to a cryptographically segmented LAN, and for protecting wireless. 3) Scale to enterprise-wide data protection by solving the manageability problem. As data protection solutions are deployed in the four solution areas, and as the number of keys and devices start to grow, key and policy management need to be automated through specialized software tools. 32
Best practices for DNS and IP addresses Management Governing Law and Dispute Resolution Clear Corporate Strategies Clear VoIP business Strategies 33
Thank you for your Attention For more details: www.itu.int/itu-d Désiré KARYABWITE IP Coordinator, E-Strategy Unit, Email: desire.karyabwite@itu.int Tel: +41 22 730 5009 Fax: +41 22 730 5484 34