A Model-based Methodology for Developing Secure VoIP Systems

Similar documents
Unit 23. RTP, VoIP. Shyam Parekh

CHAPTER 1 INTRODUCTION

Internet Security. Internet Security Voice over IP. Introduction. ETSF10 Internet Protocols ETSF10 Internet Protocols 2011

Securing SIP Trunks APPLICATION NOTE.

TECHNICAL CHALLENGES OF VoIP BYPASS

VOICE OVER IP SECURITY

Securing VoIP Networks using graded Protection Levels

Best Practices for Securing IP Telephony

Level: 3 Credit value: 9 GLH: 80. QCF unit reference R/507/8351. This unit has 6 learning outcomes.

How To Understand The Purpose Of A Sip Aware Firewall/Alg (Sip) With An Alg (Sip) And An Algen (S Ip) (Alg) (Siph) (Network) (Ip) (Lib

VoIP. Overview. Jakob Aleksander Libak Introduction Pros and cons Protocols Services Conclusion

Security issues in Voice over IP: A Review

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

White Paper. avaya.com 1. Table of Contents. Starting Points

Network Access Security. Lesson 10

Voice Over IP (VoIP) Denial of Service (DoS)

Local Session Controller: Cisco s Solution for the U.S. Department of Defense Network of the Future

Mobility and cellular networks

Security & Encryption

Chapter 9 Firewalls and Intrusion Prevention Systems

Configuring a Mediatrix 500 / 600 Enterprise SIP Trunk SBC June 28, 2011

VoIP Security Threats and Vulnerabilities

VIDEOCONFERENCING. Video class

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Connecting MPLS Voice VPNs Enabling the Secure Interconnection of Inter-Enterprise VoIP

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

NTP VoIP Platform: A SIP VoIP Platform and Its Services

Cconducted at the Cisco facility and Miercom lab. Specific areas examined

Session Border Controllers in Enterprise

ZyXEL V100 Support Notes. ZyXEL V100. (V100 Softphone 1 Runtime License) Support Notes

How To Secure A Voice Over Internet Protocol (Voip) From A Cyber Attack

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

Recommended IP Telephony Architecture

BlackRidge Technology Transport Access Control: Overview

What is an E-SBC? WHITE PAPER

Voice Over IP and Firewalls

TraceSim 3.0: Advanced Measurement Functionality. of Video over IP Traffic

Basic Vulnerability Issues for SIP Security

Analysis of SIP Traffic Behavior with NetFlow-based Statistical Information

Application Note Patton SmartNode in combination with a CheckPoint Firewall for Multimedia security

Authentication and Authorisation for Integrated SIP Services in Heterogeneous Environments 1

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Ingate Firewall/SIParator SIP Security for the Enterprise

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Configuring the Sonus SBC 2000 with Cisco Unified Call Manager 10.5 for Verizon Deployment

Voice over IP Communications

Session Initiation Protocol (SIP) The Emerging System in IP Telephony

Acme Packet session border controllers in the enterprise

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

IP Ports and Protocols used by H.323 Devices

Technical White Paper for Traversal of Huawei Videoconferencing Systems Between Private and Public Networks

Application Note. Onsight Connect Network Requirements V6.1

Application Note. Firewall Requirements for the Onsight Mobile Collaboration System and Hosted Librestream SIP Service v5.0

Implementing a Voice Over Internet (Voip) Telephony using SIP. Final Project report Presented by: Md. Manzoor Murshed

Chapter 2 PSTN and VoIP Services Context

Detecting Spam in VoIP Networks. Ram Dantu Prakash Kolan

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Introduction to VoIP Technology

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Secure VoIP for optimal business communication

How To Support An Ip Trunking Service

Network Security Administrator

Formación en Tecnologías Avanzadas

Your new VoIP Network is working great Right? How to Know. April 2012 WHITE PAPER

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

SIP SECURITY WILEY. Dorgham Sisalem John Floroiu Jiri Kuthan Ulrich Abend Henning Schulzrinne. A John Wiley and Sons, Ltd.

Network Connection Considerations for Microsoft Response Point 1.0 Service Pack 2

Cisco CCNP Optimizing Converged Cisco Networks (ONT)

IP Telephony Basics. Part of The Technology Overview Series for Small and Medium Businesses

Voice over IP Security

Written Testimony of John L. Barnes Director of Product Development Verizon Business. Hearing on VoIP: Who Has Jurisdiction to Tax It?

IP Telephony Deployment Models

TSIN02 - Internetworking

Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation

ICTTEN5168A Design and implement an enterprise voice over internet protocol and a unified communications network

Practical Internet Steganography: Data Hiding in IP

Session Border Controller

IP Telephony Management

Security & Reliability in VoIP Solution

TDM services over IP networks

Internet Communications Using SIP

Indepth Voice over IP and SIP Networking Course

Voice Over Internet Protocol (VOIP) SECURITY. Rick Kuhn Computer Security Division National Institute of Standards and Technology

Application Notes for Configuring a SonicWALL VPN with an Avaya IP Telephony Infrastructure - Issue 1.0

Application Note. Onsight TeamLink And Firewall Detect v6.3

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

OpenScape UC Firewall and OpenScape Session Border Controller

Integrating Voice over IP services in IPv4 and IPv6 networks

Cisco Advanced Services for Network Security

Computer Networks. Voice over IP (VoIP) Professor Richard Harris School of Engineering and Advanced Technology (SEAT)

Implementing SIP and H.323 Signalling as Web Services

ICANWK406A Install, configure and test network security

SIP : Session Initiation Protocol

Transcription:

A Model-based Methodology for Developing Secure VoIP Systems Juan C Pelaez, Ph. D. November 24, 200

VoIP overview What is VoIP? Why use VoIP? Strong effect on global communications VoIP will replace PSTN soon Voice over IP over Wireless (VoIPoW) Cost savings IP network is used as a backbone between two voice switches/gateways

VoIP on Tactical Networks VoIP can traverse radio networks US Army is converging on a standard IP backbone in all of the tactical systems (sensor, ISR, UAV or intelligence systems) VoIP over tactical networking technology is useful not only to the military, but also to law enforcement and emergency services. VoIPoW is becoming available for both wireless LAN and wireless WAN applications. U.S. Army is using VoIP on high level units (expecting to be fully implemented soon). Disadvantages Security issues QoS issues

Network Architecture Challenges Comprehensive understanding of the main issues for both the signaling and the standard protocols used today for providing wireless access in VoIPoW. H.323 and SIP protocols for signaling and call control in VoIP, they are essential for providing total access and for supporting IP-based services. H.323 is complex and requires a combination of components to perform its functions. Need high-level specification of the VoIP architecture that can be used to conduct forensic investigations in a tactical environment. Analyze the interoperability with other multimedia service networks and terminals. Terminal devices in disparate networks communicate frequently.

Network Architecture Challenges (Cont) Converged environments have a large variety of users and require the use of multiple signaling protocols. Examiners usually conduct investigations in architectures that support both SIP and H.323 calls. Therefore our network forensic model must be able to operate in a converged environment using multiple existing and potential signaling protocols. Wi-Fi and WiMax are the two standard protocols used today for providing wireless access in VoIPoW. Interworking between IEEE 802. and IEEE 802.6 is common since the WiMax purpose is to expand the range of wireless systems access.

DFRWS Framework (from [DFRWS0] )

Network Forensic Challenges -Collection- How to efficiently collect digital attack evidence in real time from a variety of VoIP components and networks? Forces Firewalls and Intrusion Detection Systems (IDS), cannot detect or prevent all attacks. In Tactical environments we need network models that allow not only the detection of complex attacks, but also that support forensic evidence collection, storage and analysis. VoIP, requires an automated collection of forensic data in order to provide data reduction and correlation. Need forensic methods with shorter response times because the large volume of irrelevant information and increasingly complex attack strategies make manual analysis impossible in a timely manner. In VoIP network forensics a systematic approach is needed to detect vulnerabilities and the resulting attacks.

Network Forensic Challenges Analysis- How to analyze evidence in order to discover the attack source and other characteristics of the attack? Forces Analysis and reconstruction of attacks time-consuming and humanintensive tasks. Storing network data for forensic analysis may be complicated. Encrypted packets are difficult to analyze. Wireless anti-forensics methods The modification of the 802. specification (Raw Covert, madwifi patches) Use of illegal channels The forensic analysis process must guarantee data preservation and integrity. Attacks in converged networks are becoming more frequent and more complex to counter. Need to reusing network forensic knowledge and documenting forensic investigations. Lack of experience executing investigations or using similar forensic tools.

Network Models using Patterns Study VoIP network representations to model, simulate, test, and prototype networks with intent to discover new ways to characterize network environments and the information embedded in the network. A comprehensive pattern system based on a collection of architectural, attack, forensic and security patterns, providing best practices for IP telephony systems. Analyze network forensic investigations in a VoIP converged environment using the existing methods for this basis. A pattern system to specify, analyze and implement network forensics investigations for different architectures. We will make use of UML (Unified Modeling Language) to describe these patterns. Effective ways for network investigators to implement the use of network forensics as a secure and convenient method of collecting digital evidence in a VoIP environment.

VoIP Pattern System Architectural patterns Analyze existing VoIP architectures in IP telephony. Focus on modeling tactical architectures using UML language. Patterns are used for high-level specification of the VoIP system. Attack patterns Systematic description of the steps and goals of an attack and ways to defend and trace its application in a system. Attack pattern template in order to describe how to document and organize generic attack patterns. Attack pattern catalog. Security patterns Based on security mechanisms and standards to stop attacks against the VoIP system. From the list of attacks we can figure out what security patterns are necessary to prevent or mitigate the threats. Forensic patterns Capturing, recording, and analyzing information collected on VoIP networks from several intrusion detection, auditing, and checking points. Help network investigators to understand which evidence can be obtained from the VoIP system after a specific attack.

VoIP Pattern System Network segmentation Evidence Collector Evidence Analyzer Signed Authenticated call uses authentication VoIP Tunneling message secrecy uses Secure VoIP call message secrecy uses WiFi Network Architecture uses Hybrid WiFi/WiMax Architecture uses implements implements implements Tactical VoIP Forensic Model uses Attack Patterns implements H.323 Signaling Protocol SIP Signaling Protocol implements WiMax Network Architecture implements Hybrid Signaling Protocol

Example: Signaling Steganophony Pattern Defines a structure and process to manipulate signaling protocol information in converged networks for steganographic purposes. Provides a way to exploit unused fields in signaling packets to embed hidden messages in VoIP calls. Context Subscribers engage in a voice call conversation over a VoIP channel. Signaling protocols: H.323 and SIP. Signaling messages are exchanged between endpoints. Use of cryptographic protocols (e.g. SIPS) which encrypts signaling to improve the security of VoIP connections. Problem How to transmit a secret message to a remote user in a regular conversation via the VoIP system? Vulnerabilities Digital audio signals are, due to their stream-like composition and the high data rate, appropriate covers for a steganographic method Creation of covert channels in SIP is possible because in the protocol specifications there are no restrictions to generating parameters about the desired length. A VoIP connection does not give examiners enough time to detect possible abnormality Amount of information that attackers can covertly transfer in VoIP networks is significant. The use of VoIP steganography should be considered as a threat to the security of the converged network as it may be used for data exfiltration.

Class diagram for a SIP architecture SIP server signaling Layer 2 switch connect use connect Proxy server connect Gateway PSTNto-PSTN use Location server interact Redirect server interact Register server User Agent

Sequence diagram for SIP signaling steganography <<actor>> SIP-UA: P:ProxyServer P:ProxyServer2 <<actor>> SIP-UA2: P.dial(SIPinvite()) P2.dial(SIPinvite()) UA2.connect(SIPinvite()) OK() ACK() OK() ACK() OK() ACK() RTP/RTCP embedstego() txstego() recoverstego()

Countermeasures Use statistical analysis of the lost packets for calls in the converged network by observing RTP streams flow this may indicate potential use of VoIP steganography. Use the Network Segmentation pattern which performs separation of the voice and data services to improve data exfiltration detection in VoIP. Analyze the voice packet payload in order to decide whether it contains voice data consistent with the overall call or not. Use Stateful-Inspection Firewalls or Session Border Controllers with Deep Packet Inspection (DPI) technology in order to detect hidden messages in VoIP. DPI looks inside the voice packet, and analyze the contents of the packet as well as the headers to decide if the information contain steganographic data or not.

Forensics Use the VoIP Evidence Collector pattern which defines a structure and process to collect attack packets on the basis of adaptively setting filtering rules for real-time collection. Use sensors with examination capabilities that look at VoIP traffic (i.e. signaling and media) and flag packets where typically unused bits/fields actually have data stored in them. Use the VoIP Evidence Analyzer pattern which analyzes the collected forensic data packets, and presents a process of investigating attacks against the VoIP network. This pattern may also use steganalysis algorithms to analyze VoIP steganographic attacks. Misuse patterns indicate where to look for attack data, which components of the network may be more useful to find evidence, and which parts of the network should have additional capabilities to collect forensic data.

Evidence Collector Class Diagram Evidence Call Server VoIP Network collect Embedded Sensor NFAT Evidence Collector Forensic components Network Traffic Filter Send data Monitor real traffic Forensic Server Send alarm IDS

manages Call Server Layer 2 Switch IP-to-IP VoIP Network Forensic System Architecture connect conferencing Gateway Terminal Device MCU PSTN-to-PSTN VoIP Network connect Forensic LAN Evidence Collector manages Forensic Components Forensic Server Evidence Database manages Network Investigator

Conclusions and Future work VoIP will become more typical in the near future, with the probability of being the most popular system for mobile communication, therefore, it is important to study the mechanisms and tools for forensic analysis of converged networks. Forensic information found in VoIP systems has a great potential to be used as evidence. Forensic patterns value may be realized when semiformal UML models are reused on similar investigations. This research presented effective ways in which network investigators can more effectively implement the use of network forensics as a secure and convenient method of collecting and analyzing digital evidence in a VoIP environment. A contribution in this research is the creation of a comprehensive pattern system to be used in forensic investigation processes. We concentrated on the functionality offered by these patterns and their usefulness. These are the first steps toward a methodology for modeling network forensics. Generation of additional forensic patterns including IDS versions of this approach. Explore statistical approaches for IDS in converged environments

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information