SCIDIVE: A Stateful and Cross Protocol Intrusion Detection Architecture for Voice-over-IP Environments. Outline



Similar documents
SCIDIVE: A Stateful and Cross Protocol Intrusion Detection Architecture for Voice-over-IP Environments

Intrusion Detection in Voice-over-IP Environments

Spam Detection in Voice-over-IP Calls through Semi-Supervised Clustering

Basic Vulnerability Issues for SIP Security

TECHNICAL CHALLENGES OF VoIP BYPASS

A VoIP Traffic Monitoring System based on NetFlow v9

Chapter 2 PSTN and VoIP Services Context

Application Note. Firewall Requirements for the Onsight Mobile Collaboration System and Hosted Librestream SIP Service v5.0

SIP Intrusion Detection and Response Architecture for Protecting SIP-based Services

VIDEOCONFERENCING. Video class

A Model-based Methodology for Developing Secure VoIP Systems

EE4607 Session Initiation Protocol

NAT TCP SIP ALG Support

How To Protect Your Phone From Being Hacked By A Man In The Middle Or Remote Attacker

Application Note. Onsight Connect Network Requirements V6.1

Network/Internet Forensic and Intrusion Log Analysis

Voice over IP. VoIP (In) Security. Presented by Darren Bilby NZISF 14 July 2005

White paper. SIP An introduction

SIP: NAT and FIREWALL TRAVERSAL Amit Bir Singh Department of Electrical Engineering George Washington University

NETWORK SECURITY (W/LAB) Course Syllabus

An outline of the security threats that face SIP based VoIP and other real-time applications

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

BEng (Hons) Telecommunications. Examinations for / Semester 1

Linux Network Security

Application Note. Onsight Connect Network Requirements v6.3

Unit 23. RTP, VoIP. Shyam Parekh

Ram Dantu. VOIP: Are We Secured?

Voice Over IP (VoIP) Denial of Service (DoS)

SHORT DESCRIPTION OF THE PROJECT...3 INTRODUCTION...4 MOTIVATION...4 Session Initiation Protocol (SIP)...5 Java Media Framework (JMF)...

point to point and point to multi point calls over IP

10 Key Things Your VoIP Firewall Should Do. When voice joins applications and data on your network

A Comparative Study of Signalling Protocols Used In VoIP

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

Intrusion Detection in AlienVault

Chapter 9 Firewalls and Intrusion Prevention Systems

An Introduction to VoIP Protocols

Internet Security. Internet Security Voice over IP. Introduction. ETSF10 Internet Protocols ETSF10 Internet Protocols 2011

TSIN02 - Internetworking

Setting up a reflector-reflector interconnection using Alkit Reflex RTP reflector/mixer

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

VoIP. Overview. Jakob Aleksander Libak Introduction Pros and cons Protocols Services Conclusion

SIP Security Controllers. Product Overview

Detecting Spam in VoIP Networks. Ram Dantu Prakash Kolan

Introduction to VoIP Technology

VOIP SECURITY ISSUES AND RECOMMENDATIONS

Session Initiation Protocol (SIP) The Emerging System in IP Telephony

(Refer Slide Time: 6:17)

Integrating Voice over IP services in IPv4 and IPv6 networks

How to make free phone calls and influence people by the grugq

Indepth Voice over IP and SIP Networking Course

SIP: Ringing Timer Support for INVITE Client Transaction

Improving Quality in Voice Over Internet Protocol (VOIP) on Mobile Devices in Pervasive Environment

Media Gateway Controller RTP

INTRUSION DETECTION SYSTEMS and Network Security

VoIP Phreaking Introduction to SIP Hacking. Hendrik Scholz 22C3, Berlin, Germany

NCAS National Caller ID Authentication System

MyIC setup and configuration (with sample configuration for Alcatel Lucent test environment)

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

The SIP School- 'Mitel Style'

Lab Hours. We need to allocate 3 hours in this week for hands-on lab hours ( Nov 13 th 14:10-17:00).

Multimedia Communication in the Internet. SIP: Advanced Topics. Dorgham Sisalem, Sven Ehlert Mobile Integrated Services FhG FOKUS

SIP: Ringing Timer Support for INVITE Client Transaction

Data Security in a Converged Network

VoIP telephony over internet

Formación en Tecnologías Avanzadas

SIP and VoIP 1 / 44. SIP and VoIP

An Overview on Security Analysis of Session Initiation Protocol in VoIP network

ETM System SIP Trunk Support Technical Discussion

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

SURVEY OF INTRUSION DETECTION SYSTEM

Web Traffic Capture Butler Street, Suite 200 Pittsburgh, PA (412)

NTP VoIP Platform: A SIP VoIP Platform and Its Services

Columbia - Verizon Research Securing SIP: Scalable Mechanisms For Protecting SIP-Based Systems

CSCI 4250/6250 Fall 2015 Computer and Networks Security

SIP Trunking and Voice over IP

Security issues in Voice over IP: A Review

Development of SIP-H.323 Gateway Project

Securing SIP Trunks APPLICATION NOTE.

Intrusion Detections Systems

Voice over IP (SIP) Milan Milinković

Configuring Check Point VPN-1/FireWall-1 and SecuRemote Client with Avaya IP Softphone via NAT - Issue 1.0

White Paper. avaya.com 1. Table of Contents. Starting Points

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Connecting MPLS Voice VPNs Enabling the Secure Interconnection of Inter-Enterprise VoIP

SIP Trunking Configuration with

Chapter 15. Firewalls, IDS and IPS

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Session Initiation Protocol and Services

Request for Comments: August 2006

Applied Networks & Security

Threat Mitigation for VoIP

Introduction of Intrusion Detection Systems

Chapter 10 Session Initiation Protocol. Prof. Yuh-Shyan Chen Department of Computer Science and Information Engineering National Taipei University

NAT Traversal for VoIP. Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University

Internet Working 15th lecture (last but one) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2005

SIP: Protocol Overview

Voice Over IP and Firewalls

SIP, Session Initiation Protocol used in VoIP

Firewalls, Tunnels, and Network Intrusion Detection

Best Practices for Securing IP Telephony

Transcription:

SCIDIVE: A Stateful and Cross Protocol Intrusion Detection Architecture for Voice-over-IP Environments Yu-Sung Wu, Saurabh Bagchi Dependable Computing Systems Lab School of Electrical and Computer Engineering Purdue University Sachin Garg, Navjot Singh Avaya Labs Timothy Tsai Sun Microsystems http://shay.ecn.purdue.edu/~dcsl Slide 1/18 Outline Motivation : VoIP System & Threats Applicability of current IDS to VoIP systems Design of SCIDIVE Cross-protocol methodology for detection Stateful methodology for detection Implementation Attack scenarios Future work Slide 2/18

Motivation : Threats against VoIP System Voice-Over-IP (VoIP) systems are gaining in popularity for carrying voice traffic over IP infrastructure Economical due to convergence of data and voice Useful for internal corporate communication and external inter-domain communication VoIP systems are vulnerable to malicious attacks Traditional ones and Specialized ones targeted to VoIP systems Protecting VoIP systems is challenging Open environment Employ multiple protocols Systems are distributed in nature Different components are under different administrative domains Slide 3/18 Some facts about VoIP Voice communication between end points/terminals/clients Physical VoIP phones, or Software programs executing on computers Other entities: Gateways, Proxy servers, Redirect servers VoIP systems provide facilities for setting up and managing voice communication sessions Protocols used are H.323 or SIP Media (voice data) carried using protocols such as RTP Health of connection monitored using RTCP or ICMP VoIP system is session aware (stateful) A media flow comes after a successful call setup The sequence number of RTP packets is monotonic A hang-up event happens only if there is an existing talk session Slide 4/18

Vulnerabilities in VoIP Systems Voice traffic over data network Vulnerable to traditional attacks, such as DoS and authentication Additionally attacks related to toll fraud, privacy, and degrading voice quality A major source of vulnerabilities in the signaling protocol (SIP) Headers and payload sent in clear text allowing attacks such as premature call termination, redirecting calls Vulnerabilities in the media protocol (RTP) No authentication and encryption allowing attacks such as injection of spurious packets INVITE ACK Conversation over RTP BYE Calling party Ringing OK OK Called party Slide 5/18 Applicability of Existing IDSs Current IDS s not well suited for VoIP Intrusion Detection They are restricted in their ability to match patterns across multiple packets Example: Snort s stream4 reassembly module can only reassemble multiple TCP packets that belong to the same session and then apply detection rule They are restricted in their ability to match patterns across multiple protocols Required because several attacks are based on sequences that span multiple protocols WebSTAT detects attacks against web servers by correlating events from vertically layered protocols: application level (web server logs) and OS level (OS logs) In VoIP systems, correlation across horizontally layered protocols is also required Slide 6/18

Design of SCIDIVE: Components Footprint Protocol dependent information unit For example, a Footprint can be composed of a SIP or an RTP message Trail A set of Footprints belonging to the same session Trail SIP Trail 1 SIP Trail 2 RTP Trail 3 Time Footprint Distiller Network flows Event Generator Events Ruleset Rule Matching Engine Slide 7/18 Design of SCIDIVE: Components Distiller Translates packets into Footprints Performs defragmentation, reassembly, decoding of packets Event generator Maps footprints into events Example: Map two out of order RTP Footprints into an event called RtpJitter Layer of abstraction that enables efficient rule matching SIP Trail 1 SIP Trail 2 RTP Trail 3 Time Event Generator Events Distiller Rule Matching Engine Ruleset Network flows Slide 8/18

Design of SCIDIVE: Components Rule Matching Engine Triggered when events are generated Works on rule set Rule set Chiefly based on events Example: Detect RTP flow (event 1) after a session is torn down (event 2) Can also access information directly in trails at the cost of some efficiency Example: Interested in knowing who prematurely tears down a session. Require a look at the corresponding SIP Footprint SIP Trail 1 SIP Trail 2 RTP Trail 3 Time Event Generator Distiller Events Rule set Rule Matching Engine Network flows Slide 9/18 Important Abstraction #1: Cross Protocol Detection SCIDIVE accesses packets from multiple protocols in a system to perform its detection Suitable for VoIP systems since it employs multiple protocols and attacks spanning multiple protocols are possible In SCIDIVE, cross protocol detection enabled through Maintaining multiple trails for different sessions of different protocols An event can be generated across multiple trails A rule can be framed in terms of each of these events Slide 10/18

Important Abstraction #2: Stateful Detection SCIDIVE can build relevant state in a session and across sessions and use the state in matching for possible attacks Suitable for VoIP systems since components maintain considerable amount of system state Client side maintains state about active connections Server side maintains state relevant to billing In SCIDIVE stateful detection is enabled through Structuring and maintaining Footprints belonging to a session in a single trail Thus, state transitions of each session can be tracked Slide 11/18 End-point based Implementation SCIDIVE-enabled-IDS engine sits on/close to the end-point in our implementation IDS engines can be deployed at multiple points e.g., at both clients and the SIP Proxy and alert correlation done [Wu-ACSAC03] IDS SIP Proxy Hub Internet IDS Protected Area Slide 12/18

Testbed - Layout SIP Proxy Server Client A Client B Sam Gollum Enterprise Typhoon Hub SCIDIVE Pippin Frodo Firewall Merry Attacker Switch Hub SIP Phone SIP Phone Outside World Main Auditorium Client X Slide 13/18 Testbed - Details Protocol : Based on the trend of VoIP system development, we focus on SIP and RTP Proxy : Sip Express Router from www.iptel.org Clients : Kphone from www.kde.org Windows Messenger from Microsoft X-Lite from www.xten.com Attacks created BYE attack : a signaling based DoS attack RE-INVITE attack : a signaling based Call Hijacking attack RTP attack : a media stream based DoS attack Fake Instant Messaging : a signaling based identity attack Slide 14/18

Attack Scenario #1: BYE Attack Goal of attack: Attacker prematurely tears down B s session with A by sending A a BYE message masquerading as B Detection method: RTP flow from B should stop before A sees the BYE message Cross protocol since RTP and SIP trails are used Stateful since monitoring of SIP session to determine when torn down BYE SIP UA [Attacker] SIP UA [A] SIP UA [B] SIP Proxy Slide 15/18 Attack Scenario #2: RTP Attack Goal of attack: Garbage header and payload injected into RTP packets Depending on implementation of the client, it may crash or experience degraded voice quality Detection method: Sanity check the IP address and sequence number of successive RTP packets Cross protocol since IP and RTP Footprints are used Stateful since sequence of RTP Footprints is monitored Junk RTP packet SIP UA [Attacker] SIP UA [A] SIP UA [B] SIP Proxy Slide 16/18

Summary Voice over IP systems are going to be a part of our lives Malicious attacks of different kinds, some traditional but many new kinds, will come with the territory Current IDSs do not satisfactorily fit VoIP systems We proposed an architecture called SCIDIVE for intrusion detection in VoIP systems The architecture introduced two abstractions Cross protocol detection Stateful detection The architecture was instantiated in an implementation with realworld heterogeneous clients and servers Different kinds of attacks were injected and the detection methodology of SCIDIVE demonstrated Slide 17/18 Future Work Distributed IDS: Collaborative IDS engines deployed at endpoints, gateways and network elements Potential to detect a broader set of attacks Potentially lower false positives Build taxonomy of VoIP attacks. Create SCIDIVE rules based on the taxonomy to enable detection of unknown attacks Slide 18/18

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information