ims security and protection l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
IMS Security and Protection PowerPoint Presentation
Download Presentation
IMS Security and Protection

Loading in 2 Seconds...

play fullscreen
1 / 19

IMS Security and Protection - PowerPoint PPT Presentation


  • 113 Views
  • Uploaded on

IMS Security and Protection. Micaela Giuhat VP Product Management Sipera Systems email: micaela@sipera.com. Outline. Open system security VoIP security requirements Industry approach and strategies IMS security requirements IMS vulnerabilities Attack examples Solution Summary. Bad Guys.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'IMS Security and Protection' - sugar


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
ims security and protection

IMS Security and Protection

Micaela GiuhatVP Product Management

Sipera Systemsemail: micaela@sipera.com

outline
Outline
  • Open system security
  • VoIP security requirements
  • Industry approach and strategies
  • IMS security requirements
  • IMS vulnerabilities
  • Attack examples
  • Solution
  • Summary
open systems can be attacked

Bad Guys

Open Systems can be attacked

Traditional voice network is closed system

VS

Internet which is open

Internal

Web

Servers

E-mail Servers

External

Web Servers

Core Network

  • Denial of Service Attacks
  • Viruses
  • SPYware
  • Blended Attacks
  • E-mail SPAM

Internet

the internet security industry
The Internet Security Industry
  • Applications Protected
  • Web Apps
  • E-mail
  • Database

Internal

Web

Servers

E-mail Servers

Network Security

Logs Correlation

SPAM

Filter

IPS

External

Web Servers

IDS

Firewall

Core Network

But…

Problems still persist

Internet

enter voip
Enter VoIP
  • VoIP is different …
  • Real time
  • Peer-to-peer
  • Protocol rich
  • Complex state machine (several dozen states)

Internal

Web

Servers

E-mail Servers

Network Security

Logs Correlation

SPAM

Filter

IPS

External

Web Servers

IDS

Firewall

Core Network

Communication Servers

  • Feature rich (several hundred services)
  • Separate signaling & media planes
  • Low tolerance to false positives & negatives

Internet

current industry approach
Current Industry Approach

Approach is unworkable:

1. Not real time

2. Cannot handle encrypted traffic

3. Can’t keep up with new feature addition

Internal

Web

Servers

E-mail Servers

Network Security

Logs Correlation

SPAM

Filter

IPS

External

Web Servers

IDS

Firewall

Core Network

Communication Servers

Current Industry thinking is to add VoIP sensibilities to all the existing security boxes; Although nothing is actually available yet …

Internet

current strategies
Current Strategies

Security Agent

May block

Good calls

  • Hard to manage
  • Will not meet performance specifications
  • Does not address multi vendor
  • Cannot keep up with new features
  • Not available yet

Protect against

Windows OS

vulnerabilities

Opens

pinholes

ALG is

vulnerable

FW/ALG

Event

Correlation

Remediation

VoIP Traffic analysis

Signature/Anomaly

Filtering

IDS/IPS

Limited

signatures

Core

switch

Scrub IP DoS/DDoS

Traffic

PSTN GW

Guard

Cannot stop

Spoofed Caller IDs

Certs

Authentication

Encryption

desired approach

IP Communications Security (IPCS) Solution

Desired Approach

Integrated, real time VoIP security solution that comprehensively tackles all VoIP vulnerabilities, both Enterprise & Carrier

Internal

Web

Servers

E-mail Servers

Network Security

Logs Correlation

SPAM

Filter

IPS

External

Web Servers

IDS

Firewall

Core Network

Communication Servers

Internet

tolerance for false negatives email vs voice

Store Analyze Forward in near-real time

Email Delivery Mode:

E-mail may not

be extracted

Immediately;

can be deleted fairly easily; low annoyance level

Email Server

Low volume

Email attack

False negative

Security

Device

Security

Device

Low volume

Voice attack

Call Server

False negative

Call delivered

in real time;

phone rings constantly; high annoyance level

Analyze Forward in real time

Call Delivery Mode:

Tolerance for False Negatives: Email Vs Voice
typical solution vs desired solution

Anti-SPAM

e-mail

VoIP

Network Level Correlation

VoIP

OS

IP

Web

database

Comprehensive Integrated

Security Solution for Communications Applications (VoIP, IM, Video, Multi-Media)

Intrusion Detection System

OS

IP

Web

VoIP

Denial of Service Prevention

IP

Web

database

VoIP

Intrusion Prevention System

OS

IP

Web

e-mail

VoIP

Firewall

VoIP

OS

IP

Web

Typical Solution vs. Desired Solution
comprehensive ims security system
Comprehensive IMS Security System
  • A Comprehensive IMS Security System must:
    • Prevent unauthorized usage
    • Protect end-user privacy
    • Protect IMS infrastructure from attacks
    • Protect end-users from attacks
    • Handle voice SPAM
security aspects addressed in ims

IMS SPAM Filter (User control,

Behavioral learning (call patterns, trust scores),

Machine Call detection, etc.

IMS Network Level Security Management (Event correlation, Network Threat Protection )

Not addressed

IMS Intrusion Prevention (Call Stateful Deep packet inspection (IMS decode), Behavioral learning (finger printing), Protocol fuzzing prevention, media filtering, etc.)

IMS Aware Firewall (Policy based filters:

URL/IMSI/MSISDN/AP/IP white/black lists, etc)

Vulnerabilities

Attacks on

Infrastructure

Attacks on

End-users

Unauthorized use

Privacy

IMS SPAM

Well Defined by 3GPP,

Addressed by Core

IMS infrastructure:

SIM, HSS, AAA, PDG

Encryption (IPSec, TLS)

Authentication (SIM)

Protection Techniques

Security Aspects addressed in IMS
security aspects addressed in ims13
Security Aspects addressed in IMS

User & Traffic Behavioral Learning

Call State & Service aware

IMS/SIP/H.248/RTP/MPEG aware

Not addressed

Peer - Peer

Real time

IP Traffic

E-mail

Web

Database

VoIP

IMS

IP TV

TCP/UDP/ICMP/FTP/HTTP/SQL aware

Existing Internet Security Solutions

Client - Server

Non-Real time

Characteristics

ims reference architecture
IMS reference architecture

Rf

Rf

/Ro

/Ro

Charging

Charging

Sh

Sh

HSS

HSS

Functions

Functions

AS

AS

Dh

Dh

ISC

ISC

Cx

Cx

Cx

Cx

Dx

Dx

SLF

SLF

Mw

Mw

I

I

-

-

CSCF

CSCF

S

S

-

-

CSCF

CSCF

Mw

Mw

Mi

Mi

Mi

Mi

SIP

BGCF

BGCF

Mw

Mw

H.248

Mr

Mr

Mj

Mj

DIAMETER

Mg

Mg

P

P

-

-

CSCF

CSCF

MGCF

MGCF

MRFC

MRFC

Gq

PDF

Mp

Mp

Mn

Mn

PSTN

MRFP

MRFP

MGW

MRFP

GGSN

UE

UE

IP Transport (Access and Core)

IP Transport (Access and Core)

ims vulnerabilities

Well known in the data world

New, unique &

real time sensitive

Application level

vulnerabilities

IMS Vulnerabilities

HSS

Apps

Chrg

  • IMS & SIP enable a rich feature set of Converged Services ….. but also open up the network to IP based vulnerabilities

Call Server

SIP Server

MGCF

MRFC

BGCF

SGF

P/S/I CSCF

SLF/PDF/IBCF/IWF

IMS core

MGW

MRFP

T-MGF

ABGF

IBGF

IP-IP GW

Media Gateway

  • IMS & SIP vulnerabilities include:
    • OS level vulnerabilities
    • IP Layer 3 vulnerabilities
    • IMS Framework related vulnerabilities
    • SIP/RTP/H.248/etc. protocol vulnerabilities
    • VoIP/Video/PoC/etc. Application vulnerabilities
    • VoIP SPAM
ims architecture vulnerabilities some examples
IMS Architecture Vulnerabilities: Some Examples
  • Compromised mobile phones
    • Zombie hard/soft phones
    • Modified phone with malicious intent
      • Malicious/Malformed/Spoofed signaling attacks
      • Malicious/Malformed/Spoofed media attacks
      • Spoofed IMS Emergency session attacks
      • Presence update attacks
      • Initiating Conferencing to block the network resources
  • UE having direct access to the IMS core network
    • Charging fraud - Signaling directly to S-CSCF to avoid charging
  • Misconfigured/partially configured UEs and/or Network elements
  • Non-GPRS access such as WLAN or BB can be attacked directly from the internet without a subscription
  • SPAM
ims application level attacks
IMS Application Level Attacks

Human attackers

Spammer

Spoofed Packets

  • Attack Types:
  • Flood Denial of Service
    • Signaling
    • Media
  • Distributed DoS
  • Stealth DoS
    • Target individual or group of users
  • Blended attacks
    • Recruit zombies and use them to launch an attack
  • SPAM
    • SPAM over Internet Telephony (SPIT)

HSS

Apps

Chrg

Zombie attackers

SIP Server

Call Server

MGCF

MRFC

BGCF

SGF

P/S/I CSCF

SLF/PDF/IBCF/IWF

MMD core

MGW

MRFP

T-MGF

ABGF

IBGF

IP-IP GW

Media Gateway

Both Network & Subscribers

can be attacked

ims vulnerability protection system reference architecture
IMS Vulnerability Protection System Reference Architecture

Human attackers

HSS

Apps

Chrg

IMS

Vulnerability

Protection

System

Call Server

SIP Server

MGCF

MRFC

BGCF

SGF

P/S/I CSCF

SLF/PDF/IBCF/IWF

Spammer

IMS core

Zombie attackers

MGW

MRFP

T-MGF

ABGF

IBGF

IP-IP GW

Media Gateway

IMS Vulnerability Protection System is distinct from the IMS core infrastructure

attack summary
Attack Summary
  • An IMS network built to 3GPP or TISPAN specifications compliance has numerous vulnerabilities
  • An attack on the network could cause network-wide outages including bringing down HSSs, App Servers, SIP servers, Call Servers, Media Gateways and IP-IP Gateways
  • Attacks towards specific targeted individual users could cause them extreme annoyance and disrupt their service in insidious ways
  • Sipera Systems research team has identified over 90 distinct categories of attacks
  • These attacks require hackers with varying levels of sophistication, but many attacks are possible even by so called “script kiddies”