Security model-of-sip-d2-05 at kishore

“Security Model” of SIP

A T Kishore
January 31st, 2008

Alcatel-Lucent - Proprietary

Agenda
1. Security is Ever Pervasive

2. SIP is no exception

3. Introducing SIP CIA Model

4. ‘Always ON’
5. Call Flow Scenarios

Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007

Security is Ever Pervasive


About Alcatel-Lucent Leadership and Expertise in Security

Alcatel-Lucent’s resources are pioneers
in the knowledge that drives security innovations

Patents and standardization: R&D leadership
Hundreds of patents in security, cryptography, biometrics, firewalls,
denial of service and virus detection
ITU Standards Visionary (X.805) then ISO 18028
Major player in ITU-T SG 17 –
Lead Study Group on Communication System Security
CERT-IST operation, FIRST membership since 1999
Bell Labs leadership in:
Creation of new cryptography (SHAZAM for CDMA2000, PAK)
Breaking of old cryptography (PKCS#1, DSA, SOBER, Clipper)
Development of optical-rate encryption ciphers and NSA-certified encryptors
Pioneering work in provable security
Biometrics (voice authentication with secured models)
High-speed encryption hardware (e.g., for SANs)
Integration of 802.11 and 3G AAA
Watermarking

Alcatel-Lucent Bell Labs Security Framework
The international standard to build secure-by-design communications solutions

Building security into the DNA of complex systems
Layers

Infrastructure Services Applications THREATS

End User MODULE 1 MODULE 4 MODULE 7 Destruction

Corruption
Planes Control /
MODULE 2 MODULE 5 MODULE 8 Removal
Signaling
Disclosure

Management MODULE 3 MODULE 6 MODULE 9 Interruption

ATTACKS

Access Control Non-Repudiation Comms Security Availability (9 modules X 8 cells =
72 security cells)
Data
Authentication Confidentiality Data Integrity Privacy

The Bell Labs Security Framework
ITU/X.805 Security Standard
ISO 18028 Security Standard


Security trends
Hacker ‘professionalism’ on the rise

Viruses are just one part of a greater danger: cybercrime

Viruses are now used as ‘tools’ to:

Install backdoors Virus

Steal identity data Major Targeted
attacks attacks
Mount major attacks Backdoor
(ex: Bugbear.b, Sobig)
(ex: Autoproxy,
Financial
Sobig) SPAM data
theft

Non-exclusive Major attacksNetwork of 500
Exclusive access for rent 20000 proxy for On-demand
access to a bot to a bot bots (= zombies) spam DDOS attack

0.15 €/bot 0.35 €/bot 380 € 75 €/week 38 to 750 €

(source CLUSIF)
A menacing change

in attacker skill

and motivation “Virus makers are becoming mercenaries.”

Security –The Jobs to do

Attacks increasing in
sophistication and impact
External and Increasingly
internal threats complex
and vulnerabilities
technology

Outsourcing and Regulatory
Application Requirements
Hosting & Homeland
Security

Operational Need for privacy,
challenges, patch reliability and
management availability
Web-based
commerce

SIP is no Exception


Tackling SIP Security -General SIP servers

Execution phases for all incoming SIP messages:

Reception

Parsing computationally intensive for SIP!

Processing Depend on type of
message and SIP element
Marshalling & transmission

General multi-threaded
SIP server

Parsing Processing

Network socket buffer Network socket buffer
Parsing Processing

thread Parsing Processing


Tackling Prioritizing SIP servers

Modifications:

Prioritization mechanism

Message priority queue

On-demand parsing during prioritization and processing

Prioritizing SIP server Remainder
parsing &
processing

Pre-parsing &
prioritization
Network socket buffer Message priority queue Network socket buffer
Remainder
parsing &
processing

Pre-parsing &
prioritization
Remainder
parsing &
processing


Tackling SIP Security-Message processing stages

Parse only what is
strictly necessary in
Measured sojourn time
combination with an (excluding network buffer)
efficient header field
recognition algorithm
General SIP server Parsing Processing

SIP server with on-demand parsing Parsing on-demand during processing

Prioritizing SIP server with efficient parsing Queuing Parsing on-demand during processing

Parsing on-demand during
prioritization

Prioritization policies based on message
characteristics, system state, and statistics


Tackling SIP Security-Prioritizing SIP server

SIP messages Service
Provider

SIP devices

Pre-parsing Policy definition

Prioritizing Policy

Drop

Processing

Dynamic adaptation to
real-time conditions
Bell Labs Java
SIP stack

SIP SIP
server1 servern

All Corners Of Security Challenges

Regulatory requirements

Need to boost Market Pressure of reducing
confidence in security of SIP operational costs &
VoIP, XoIP transactions Competition

Hacking & other attacks


Introducing SIP CIA Model


Keys, Values & Codes CIA model for SIP Security
The CIA Triad is a widely used information assurance model. It consists of:

Confidentiality
Integrity
Availability

Confidentiality

Ensuring that information is accessible only by those who are authorized.

Integrity

Ensuring that information is pristine/unaltered/complete.

Availability

Ensuring that the Information is available as per the needs.


Keys, Values & Codes CIA model for SIP Security


Session Universe-People, Processes and Enablewhare

People SIP/IMS Technology
• Awareness about • Adaptive Messages for
importance of SIP data gathering & analysis
Security compliance • Platforms, Subsystems
• Convergence mind set • Databases

Te
ple

chn
Peo

olo
gy
SIP AS

Process
Process
• Feedback loops with automated
and interactive web based
solutions to tie people, process
and technologies together

- 17 -

CIA model for SIP Security


The Model is ‘Always ON’


Two Parts to the Security Strategy

• Part One: Security Inside Value Prop - Enhance the Brand

a. Different from the competition

b. Creates a foundation for “trustworthiness”

Value Prop – Create Revenue
Part Two: Keeping IT Secure
a. Enhances the Trust Model
Protect the network, keep it “trustworthy”
1. End-to-end security approach in NGN
Integrated to lower the opex of security
2. A solution – not more point products

Centralized
3. Centralize management for response
Security
Management
b. Lower the Opex of Security Management

1. Central event correlation manager

2. Central resource manager


Enterprise Security Solutions

User Aware Key Business Critical
Mobile Users Security
Network Security Application Security

Pre/post Web
Nonstop Laptop
admission Services
guardian
control Gateway

Data/Converged Network service Systems Integrators
VARS providers

SIP is perhaps the latest and effective digital bridge of all known
bridges

Enterprise Applications

PECaBoo

Personal Call Manager

Allege – WorkTrack/
Field Supervisor


iLocator Features

A location-based track application / platform
A Location-based Service Product from
A Location-based Service Product from
Bell Labs Research & Mobility/IN
Bell Labs Research & Mobility/IN
Tracks people/events/places on a map
People: Track buddies within a vicinity
Events: Track if there is a sale or a traffic-jam
nearby
Places: Display preferred shops, ATMs, gas stations,
and restaurants in the user’s vicinity
Enables custom services targeting enterprises,
families, govt.
For example, TeenTracker, FleetTracker,
DirectionFinder
Supports SMS’ing from within the application

Works across network types, location
techniques, handsets


Consumer Applications >> Data Messaging

PhonePages PeCaBoo

A phonepage is a light-weight home
page added to your phone number Displays in connection with
phone calls
Subscribers push their pages to Different features at different
callers and receive pages on calls events (for example, calling,
rejected, busy)
from other subscribers
Displays in multiple formats (for
Drives data session usage by letting example, WAP, SMS, e-mail, etc.)
subscribers surf during and after
calls

Servicesused
Multiparty Call Control

User Interaction (WAP Push, SMS)


Enterprise Applications >> Data Messaging

EWay

Provides remote and secure access to
enterprise networks for mobilizing and
telecom-enabling enterprise IT applications
and systems

Supports communication capabilities such a
messaging, call management, content Mobile internet and IVR access to MS
charging, presence and availability Exchange and Outlook
management, and universal service access Outbound call management with
click- to-dial and voice activated
through, web, WAP and interactive voice dialing from contact lists

Servicesused

Call Control

User Interaction


Consumer & Enterprise Applications

Fuzion

End-users specify personal preference to manage their
communication needs.

Ability to define personal profile (at home, office,
travel, can be reached at, etc) and instruct the
system to handle incoming calls for call routing, call
screening and notification treatment

Supports Personal communication portal (PCP) for
personal address book, calendar, messages storage via
Web, WAP and Voice interfaces

Servicesused

Call Control

User Interaction


Edge Protection

• Deployed at the edge of your network as your first line of defense
• Provides Multi and Blended threat security along with securing VOIP
• Protects critical VOIP (H.323, SIP) resources from attacks

SIP Security and Value

Focused approach on key areas where SIP
Value Security can bring value through:

Flexibility Innovation By virtue of being a open
Your Text here
Your Text here
protocol, it paves way for innovation
Your Text here
Innovation
Your Text here
Flexibility of deployment choices,
modularity and openness (ecosystem)

User Aware Key Business Critical
Mobile Users Security
Network Security Application Security

Most flexible Unique solution Industry first to
solution to allow solving the mobile provide stateful
user pre and post blind spot policy enforcement
admission control across organization


The Alcatel-Lucent VPN Firewall - Made for
Global Scalability

Managed Service Clients

VLAN 100 VLAN 200 VLAN 300 VLAN 400
Extranet Server SAP Server Mail ServerPublic Server
Existing
Router
Existing
Router VPN Firewall
Existing
Router Brick® 50-150
Data Center Existing
Router
Services Existing
Router
Existing
VPN Firewall VPN Firewall Router
Brick® 1100 Brick® 1100 ALSCS

ALSMS Existing
IP Network Router
Existing
Router
Existing VPN Firewall
Core A Router
Existing
Brick® 700
Active/Active Router
Existing
Management Router
Existing
ALSMS Router

Core B Existing
ALSCS Router
Existing VPN Firewall
Centralized Management VPNRouterExisting Brick® 1200
Firewall
Existing
Brick®RouterExisting
20
Router
With ALSMS Existing
Router Router
Existing Existing
Router Router
Existing
Router
Existing
Router
Existing
Customer A Router
Existing
Customer
Router B Customer C


The Alcatel-Lucent Security Portfolio in the Enterprise

Technology
• ALVF with SRM/PDG/RBR

Global Offices • Evros
Headquarters
• CloudControl
Alternate
Data Center • Vital ISA (SEM)
Network Cloud
• Vital AAA/QIP/Endforce

• AWARE

• Identity Management

• Security Prof Services
Primary Manufacturing • Managed Security Services
Data Center Center
Consultants

Mobile
Workforce

SOC - 24X7


www.alcatel-lucent.com


Security in
Call Scenarios


Applications - Reach Me “AnyWare”
Jacques owns a Real Estate Agency and wants to be reachable for
Jacques owns a Real Estate Agency and wants to be reachable for
(important) clients any time, anywhere – independent of the network
(important) clients any time, anywhere – independent of the network
he is connected to.
he is connected to.
He wants to use his convenient, high-quality
wireline phones whenever he is in the office
or at home
He uses his mobile phone when he is
Home in Evry traveling
He wants to be reached at his current
location, whether the caller dialed his
office, home, or mobile number
Jacques
He sometimes must change his regular
(Owner) schedule/preferences to serve important
Office in Sorbonne
clients
(1pm – 5pm)

Main Office in Concorde Jacques’ Mobile Pierre - less Michelle -
(8am – 12pm) Phone important client important client

Encryption

Symmetric Symmetric Encryption used for

Encryption and decryption use the Payload encryption (ESP)
same key
Packet authentication (AH & ESP)
Key must be secret (secret key)

Best known: DES, AES, IDEA, Blowfish,
RC5

Asymmetric Asymmetric Encryption used for

Also known as Public Key Encryption Initial peer authentication in IKE

Encryption and decryption keys are Key exchange in IKE
different

One key is public the other is private


Conventions


Symmetric Encryption


Asymmetric Encryption

Two complementary keys
Private key (kept secret – usually protected by passphrase)
Public key (published) – Problem: Authenticity
Basic Premises
Keys are not computable from each other
Encryption with one key can only be reversed with the other key
Best known examples
RSA & ECC, DSA for signatures
Used in
(Open)PGP (Pretty Good Privacy) for digital signatures and encryption
PKI (Public Key Infrastructure) – e.g. certificates for web servers & SMIME
RSA Rivest Shami Adleman, ECC – Eliptic Curve Cryptography, DSA – Digital
Signature Algorithm

Asymmetric Encryption cont’d


Hash Functions
Hash Functions
Produce hash values for data access or security
Hash value: Number generated from a string of text
Hash is substantially smaller than the text itself and typically fixed length
Basic Premises:
Unlikely that other text produces the same hash value (collision resistance)
Unidirectional (cannot calculate text from hash)
Provides: Integrity & Authentication
Best known: SHA-1 & MD5 •Example:
•$ echo The quick brown fox jumps over the lazy dog. | md5sum
•0d7006cd055e94cf614587e1d2ae0c8e *-
•$ echo The quick brown fox jumps over the lazy dog! | md5sum
•54828ad41cf232a5c374689e2f06d3af *-

SHA – Secure Hash Algorithm, MD5 – Message Digest


Hash Functions cont’d


Certificate creation


SSH-2 Protocol Stack & Connection establishment

SSH-2 comprises of multiple flexible hierarchical protocols.

SSH SSH Connection SSH File Transfer
Authentication Protocol Protocol (SSH-SFTP)
Protocol (SSH-CONN)
(SSH-AUTH)

SSH Transport Layer Protocol (SSH-TRANS)

TCP/IP

Connection Establishment

1. SSH-TRANS – Authenticates host and does the initial key negotiations

2. SSH-AUTH – Authenticates user via flexible methods - Optional

3. SSH-CONN – Channel based services layer for – multiple channels simultaneously

4. SSH-SFTP – For remote file operations – Specific applications


Summing UP
1. Security is Ever Pervasive

2. SIP is no exception

3. SIP CIA Model

4. The ‘Always ON’ Model at Work
5. Call Flow Scenarios with built in SIP Security


Security model-of-sip-d2-05 at kishore

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (19)

Semelhante a Security model-of-sip-d2-05 at kishore

Semelhante a Security model-of-sip-d2-05 at kishore (20)

Security model-of-sip-d2-05 at kishore