Exceed with COLT NGN Architectures, VoIP Security and Protocols

Exceed with COLT NGN Architectures, VoIP Security and Protocols UKNOF 5 25/10/06 Neil J. McRae – Director of Network Architecture Nico Fischbach – Head of Network Security COLT Telecom Group FOR INTERNAL USE ONLY

Agenda

What is VoIP? VoIP Architectures VoIP Protocols & Security Concerns Questions

UKNOF 5 : NGN VoIP : Neil J. McRae

COLT and VoIP COLT Telecom > Voice, Data and Managed Services, Tier 1 ISP in EU > 14 countries, 60 cities, 50k business customers > 20 000 km of fibre across Europe + DSL V o I P “ e x p e r i e n c e ”

> 3 major vendor directions – O n e “ w e ' r e c o m i n g f r o mt h e T D Mw o r l d ” – O n e “ w e ' r e c o m i n g f r o mt h e I P w o r l d ” – O n e “ w e ' r e a V o I P c o m p a n y ” > Internet and MPLS VPN-based VoIP services > Own network (fiber + DSL) and wDSL > Going MSPP + VoIP NGN + IMS – TDM scaling issues UKNOF 5 : NGN VoIP : Neil J. McRae

3

What is VoIP? The Customer Viewpoint

Computer with softclient (SIP or Skype)

(((

Hardphone (analog or SIP or Skype)

((( o ))) wAP (+ SIP)


Internet

4

Hosted IP PBX

TDM PSTN

PRI (ISDN over E1) PBX

Voice Switch

POTS

PBX could be IP-enabled with IP phones on LAN

VoIP/ToIP

TDM PSTN

TDM PSTN

Voice Switch

IP PBX

Voice Switch

IP PBX


S B C

F W

Internet H.323/RTP

MPLS H.323/RTP

CPE NAT

CPE No NAT

5

PBX Trunking over IP

TDM PSTN

PRI (ISDN over E1) PBX

Voice Switch

POTS VoIP/ToIP

DTMF H.323(/MGCP) Softswitch

PBX

MGCP

TDM PSTN

Voice Switch

MGW

RTP

64kUR (PBX Mgmt)

F W

Internet H.323(/MGCP)/RTP

CPE No NAT T.38 (FAX)


6

Wholesale VoIP

TDM PSTN

Voice Switch

PRI (ISDN over multiple E1s or STM-1s)

Voice Switch

TDM PSTN

POTS VoIP/ToIP SIP Softswitch MGCP

TDM PSTN

Voice Switch

MGW

RTP

S B C

Internet SIP/RTP

H.323/RTP

Other Carrier VoIP Core

MGW


7

Softswitch Architecture (Intermediate Architecture)

COLT or 3rd party TDM/SS7 Networks

Softswitch (Call Control, Signalling GW, Media GW Control, Subscriber Database and Voice Applications)

Session Border Control

COLT or 3rd party IP Network

Media Gateway

End Users

Management and Provisioning

End Users

> Softswitch: it combines the Call Control, the Signalling Gateway and the Media Gateway Control function. Together with the Media Gateway function it provides signalling and media inter-working with the legacy TDM voice network. The intelligence of the system (call control functionality) as well the customer database resides within the softswitch function. > Session Border Control: it provides secure access control to the customer appliances and mediates between the COLT IMS and any 3rd party IP network > Management and Provisioning: it is an integrated OSS platform that allows end to end provisioning and management across the technology components.


IMS Architecture (Target Architecture) IMS Application Layer

COLT or 3rd party TDM/SS7 Networks

End Users

Interworking with TDM Voice Network

Core SIP Call Control

Customer Profile Database

Management and Provisioning


COLT or 3rd party IP Network

End Users

>

Interworking with TDM Voice Network: it provides signalling and media inter-working with the TDM voice network

>

Core SIP Call Control: it is a set of SIP enabled devices that control the flow of SIP messages between the customer appliances (IP phones, soft phones, wireless handhelds) and the rest of the IMS components

>

Customer Profile Database: it contains the user identity and the user service profile, providing session authentication and access to service applications

>

Session Border Control: it provides secure access control to the customer appliances and mediates between the IMS and any 3rd party IP network

>

Application Layer: it provides the service logic, with a set of Application Servers dedicated to specific services (eg an IP Centrex AS for telephony services, a Mobility AS for FMC integration, a Messaging AS for unified messaging and presence services)

>

IMS Management and Provisioning: it is an integrated OSS platform that allows end to end provisioning and management across the IMS technology components.


Softswitch Architecture – Logical Level 1

Direct VoIP Traffic

2

Indirect VoIP Traffic

3

Indirect TDM Traffic

Softswitch Application Layer

Call Control

Media Signalling AA

ISUP

MGCF

Subscriber DB

Legacy Apps

SGW

Voice Apps

NGIN

3

3rd

party TDM/SS7 Networks

TDM

MGW

Media Gateway

RTP Proxy


H.323 / SIP

ALG

RTP

3rd party IP Networks RTP

UA

H.323 / SIP, RTP

H.323 / SIP

2

H.323 / SIP

COLT NGN Transport Network RTP

H.323 / SIP

1

UA


UA ALG MGW MGCF SGW NGIN

User Agent Application Layer Gateway Media Gateway Media Gateway Ctrl Function Signalling Gateway Next Gen IN

IMS Architecture – Logical Level 1

Direct VoIP Traffic

2

Indirect VoIP Traffic

3

Interworking with TDM Voice Network

Indirect TDM Traffic ISUP

Media Signalling AA

NGIN

AS

Application Layer

SGW Diameter

SIP

SIP

MGCF

CSCF

Diameter

HSS

3

3rd party TDM/SS7 Networks

PCM

SIP

MGW RTP Proxy

Core SIP Call Control

SIP ALG

Customer Profile Database Session Border Control

RTP

3rd party IP Networks RTP

SIP

UA

SIP, RTP

2

NGN Transport Network RTP SIP

UA


SIP

1

UA I-BGF A-BGF CSCF HSS

User Agent I/C-Border Gw Function Access-BGF Call/Session Ctrl Function Home Subscriber Server

MGW MGCF SGW AS NGIN

Media Gateway Media Gateway Ctrl Function Signalling Gateway Application Server Next Gen IN

VoIP Core Network Architecture with Security

Billing

WEB

DB

F W

H.323/RTP CPE

FW IP PBX IP PBX

S F B W C

IP / MPLS PBX

SBC H.323/MGCP/RTP

Softswitch MGW

MGW

TDM / PSTN

CPE

F W

S B C

MGW


SIP/RTP

Carrier

Internet H.323/RTP

Carrier

12

Nortel Voice Services

SIP or SIPT

Network Signalling

CS2000

USP LPP

SS7

CS2000 GWC

• Lawful Intercept • Conferencing • Announcements

H.248

M3UA/SCTP

Centrex IP Client Manager (CICM)

CS LAN

Back Office

H.248

IEMS SIP

Element Management

PSTN

MS2010

MG15K

Firewall NAT/NAPT

Cable

IP Network

NCS

SIP

CMTS

H.323

SIP UNIStim

HF C

SIP

PBX

Derived Lines CPE IAD

xDSL IAD DSLAM


Video Feed

Hosted PBX

MGCP

Centrex IP

PC i2004 Softclient Etherset

BCP (RTP Media Portal)

MGCP

H.248

Session Server Lines

Cable Modem

Huawei MM - Meeting Conference

IP Centrex

GTAS9900 GTAS

MM - PS Presence

iManagerN2000 NMS

MM - Messaging IM

HSS9820 HSS

Application Layer SIP CSC3300 S-CSCF

CSC3300 BGCF CSC3300 P-CSCF

Session Control Layer

SIP

CSC3300 I-CSCF

iCG9815 CCF

MRS6200 MRF

SE2000 SBC

SIP

SoftX3000 AGCF/MGCF/MGC

Other Carrier

SG7000 SG

SS7

Managed IP Core

UMG8900 SIP IAD IP-Phone

MGW

H.323 IP-PBX

IAD IP-Phone

Access Layer


IP-PBX

PRI

SS7

E1

PBX

PSTN

Alcatel 8965 CCCS

1300 CMC

X1

X1

8628 MMIC App Server X1

DPNSS Gateway

8690 OSP App Server 8640CMM -8675 LNP X1

X 10 – UK Only

5020 CSC

5020 MGC

X7

X1

Convedia Media Server

1357 LI X1

X1

5020 SLS X2

Access Border Gateway X 339 total

75xx TGW

Intercept Manager

7510 = 3 7515 = 10

In-Country SITE

QSIG Gateway(s) X 5 per country


X 1 per country

Ericsson IMS control SCP

HSS

Access Gateway Control Function (AGCF) PSTN/ISDN Emulation Service

Feature Server

TeS

RSS

IUA

H.248 (AGW)

TDM

PBX

Media Gateway Control Function (MGCF)

ISC ~SIP SIP

CSCF

H.248

TeS

SIP SIP

SIP

TDM

Feature Server

Diameter

AGC

Q.931

EAR

Presence Server

Telephony Softswitch

V5.2

IP Centrex Broadband telephony

MGC/ Telephony SGW Softswitch

SIP

ISUP

MRFC H.248

MRFP

MPLS/ IP

MGW

SIP/ H.323

H.248

CCS

PBN Telephony RTP

MGW

PSTN

RTP

MSAN

D S L

A-SBG

Broadband access Router/ BRAS

IAD SIP+RTP


RTP

N-SBG SIP/H.323 VoIP

Cisco Application Server

Billing & Measurement

ISC COLT STP

I P T

Presence Engine

COLT PSTN

PGW

CSCP-SE

Cx Sh

HSS

MGW FWSM SBC

SIP-T SIP

SIP/H.323 Interconnect Carrier

SIP

MGCP

SIP

MGCP

SIP

CSCP-EP Reseller

SIP / H.323 IP PBX

COLT IP PBX

BRI PRI

BRI Q.SIG

PRI DPNSS

SIP end-devices

Carrier VoIP Service

COLT VoIP Reseller

COLT Voice Gateway

COLT IP-PBX


COLT Total

COLT Voice Integrate

Lucent VitalQIP

Lucent Communication Manager

DNS / ENUM, DHCP

Beyond Other SIP Applications

Colibria Kodiak Polycom.

Lucent Presence Server

Lucent AnyPath

Lucent FS 3000

USDS / DF

SurePay

HSS, HLR, AAA

CCF, OCS

Lucent SM S-CSCF

BGCF

I-CSCF

Lucent NC MGCF SGF

P-CSCF

Audiocodes IPMedia 2000

ETSI ISUP v2 (M2UA)

Media Server

IP Core Lucent CS

Working Alternative

Acme

Acme Packet Packets Net-Net SD

S/BC

PRI Gateway

SCP STP Existing COLT TDM Switch

SIP SIP

Legacy PBX

INAP

Lucent MG NG

E1 IMT ETSI ISUP v2

Access Network SIP IAD

PTT

H.323

IADs, ATAs, SIP Hard and Soft Phones


H.323 IP PBX

Sonus

IMX – Open Applications Server/ Broker

OSPA Enhanced Services

G S X 9 0 0 0 ™ Open Services Switch PSTN/ PLMN

Packet Network

S o n u s I n s i g h t ™ Management System Provisioning, Billing and Monitoring G S X 4 0 0 0 ™ Open Services Switch PSTN/ PLMN

G S X 9 0 0 0 ™ Network Border Switching Function Packet Network

PSX - Routing Server ASX SGX - Signaling Gateway VoBB Access Class 5 Services


Packet Network

VoIP Protocols H.323 > ITU, ASN.1, CPE/PhoneGatekeeper

> H.225/RAS (1719/UDP) for registration > H.225/Q.931 (1720/TCP) for call setup > H.245 (>1024/TCP – or over call setup channel) for call management MGCP (Media Gateway Control Protocol) > IETF, Softswitch (CallAgent)MGW > CallAgents->MGW (2427/UDP) > MGW->CallAgents (2727/UDP) > Used to control MGWs > AoC (Advice Of Charge) towards CPE - **


20

VoIP Protocols SIP >IETF, HTTP-like >Session based – Does anyone here not know what SIP is? :D RTP >Media stream (one or one per direction) >CODECs (G.711{a,u}, G.726, G.729(a)) >RTCP: control protocol for RTP

>SRTP: Secure RTP (w/ MiKEY) >Often 16000+/UDP or default NAT range, but can be any UDP>1024 >Can be UA U Aa k a “ F r e e Intersite” or UAMGWUA UKNOF 5 : NGN VoIP : Neil J. McRae

21

H.323 versus SIP > The majority of current COLT VoIP products is based on H.323 > This is mainly owing to missing functionality on SIP > Questionable interoperability and scalability concerns still exist though (10s of billions of minutes) > SIP not expected to completely replace H.323 in the mid/long term. > Protocols are somewhat complementary- no religion here though! > More detail on the differences

> and more insight on understanding of our direction at: > http://www.packetizer.com/voip/h323_vs_sip/ > This is expected to change over time UKNOF 5 : NGN VoIP : Neil J. McRae

Session Border Controller What the role of an SBC ?

>Security >Hosted NAT traversal (correct signalling / IP header) >Signalling conversion >Media Conversion >Stateful RTP pin-holing based on signalling Can be located at different interfaces: Customer/Provider, inside customer LAN, Provider/Provider (VoIP peering)

What can be done on a FW with ALGs ? What can be done on the end-system ? Is there a need for a VoIP NIDS (especially with SIP-TLS)? UKNOF 5 : NGN VoIP : Neil J. McRae

23

VoIP Hardware Mix of software and hardware (mostly DSPs) >Softswitch: usually only signalling >MGW (Media Gateway): RTPTDM, SS7oIPSS7 >IP-PBX: Softswitch+MGW Operating systems >Real-time OSes (QNX/Neutrino, VxWorks, RTLinux) >Windows >Linux, Solaris Poor OS hardening Patch management:

>OSes not up-to-date >N o t “ a l l o w e d ” t o p a t c h t h e m UKNOF 5 : NGN VoIP : Neil J. McRae

24

Security Challenges VoIP protocols >No, VoIP isn't just SIP >SIP is a driver for IMS services and cheap CPEs

>H.323 and MGCP (still) rock the carrier world Security issues >VoIP dialects >Only a couple of OEM VoIP stacks (think x-vendor vulnerabilities) >FWs / SBCs: do they solve issues or introduce complexity ? >Are we creating backdoors into customer networks ?

>CPS and QoS UKNOF 5 : NGN VoIP : Neil J. McRae

25

One more backdoor? « Executive floor » WLAN AP

« IT floor » Internet access r

ap

fw cpe

r s

External laptop

Internet

r

r cpe r s

s

fw av as p

Remote maintenance

Corporate Internet access

CPE

ar

VoIP

Vendor Office

Remote office/ Partners IP VPN


Partner

IP PBX Shared TFTPd

Customer B Customer C

26

VoIP Dialects No way to firewall / ACL (especially if non-stateful) based on protocol inspection Vendors who never heard of timeouts and don't send keep-alives Result : > Clueful: –Permit UDP

> Half clueful: –Permit UDP 1024> any

> Clueless: –Permit UDP any any

End-result: > 0wn3d via exposed UDP services on COTS systems > Who needs RPC services (>1024/UDP) ?


27

Lawful Intercept >Re-use existing solutions: TDM break-out >Install a sniffer (signalling & media stream) >Re-route calls (but hide it in the signalling) >Eavesdropping not a real threat (own network) >Enterprise network : Needs to be a part of a global security strategy – How many have this? – Clear text e-mail – Clear text protocols (HTTP, Telnet, etc) – VoIP – Etc >VoIP over WLAN easy.


28

Phones and Terminals IP Phones Reliability > Quite easy to crash (weak implementation)

TCP/IP

stacks and buggy software

> Mostly an insider threat – How clueful is your cleaner? – DHCP server – TFTP server (phone configuration) – Credentials (login + PIN) – Fraud issues. VoIP doesn't mean that you need to move to IP Phones > PBX with E1 (PRI/BRI) to router and then VoIP > PBX with IP interface towards the outside world (but do you really want to put your PBX on the Internet) ? > Means that you have to maintain two separate networks, but “ s o l v e s ” t h e QoS issues on a LAN > What about soft clients ?! – All the usual Unix/Windows issues.


29

Denial of Service Generic DDoS > Not a real issue, you can't talk to our VoIP Core – ACLs are complex to maintain use edge-only BGP blackholing

> We are used to deal with large DDoS attacks :) – http://www.securite.org/presentations/ddos/

DoS that are more of an issue > Generated by customers: not too difficult to trace (IT Clue)

> Protocol layer DoS : H.323 / MGCP / SIP signalling – Replace CPE / use soft-client – Inject crap in the in-band signalling (MGCP commands, weird H.323 TPKTs, etc)

– Get the state machine of the inspection engine either confused or in a block-s t a t e , i f l u c k y f o r t h e “ s e r v e r ” a d d r e s s e s a n d n o t t h e clients – Vendors not really thinking about this. UKNOF 5 : NGN VoIP : Neil J. McRae

30

Security Challenges Online services >Call Management (operator console) >IN routing (Fraud potential)

>Reporting / CDRs Security issues >Multi-tenant capabilities

>Have the vendors ever heard of web application security ? >Who needs security or lawful intercept if a kid can route your voice traffic via SQL injection WebApp FWs are really required...


31

Security Challenges TDM / VoIP : two worlds, two realms, becoming one ? >S e c u r i t y b y “ o b s c u r i t y ” / c o m p l e x i t y vs the IP world >Fraud detection Security issues >New attack surface for legacy TDM/PSTN networks

>No security features in old Class4/Class5 equipment >No forensics capabilities, no mapping to physical line >Spoofing and forging

>People: Voice Engineers vs Data Engineers vs Security engineers. Engineering vs Operations. Marketing vs Engineering. Conflicts and Time-to-Market UKNOF 5 : NGN VoIP : Neil J. McRae

32

Operational Concerns VoIP is damn complex

Only way to debug most of the issues: VoiceEng + IP/DataEng + SecurityEng on a bridge/online chat Requirement: be able to sniff all traffic Tool: Ethereal/Wireshark Attacker: Just use any of the protocol decoder flaw in the sniffer

Make sure your sniffers are on R/O SPAN ports, in a DMZ which only allows in-bound VNC/SSH Do not underestimate the effort on a multi Country setup – What is EU?!

If the guy is really good and can upload a rootkit over RTP: get his CV and offer him a job – you need this guy – serious skills shortage UKNOF 5 : NGN VoIP : Neil J. McRae

33

VoIP Carrier Interconnect A k a “ V o I P p e e r i n g ” / C a r r i e r i n t e r c o n n e c t Already in place (TDM connectivity for VoIP carriers/Skype{In, Out}) Connectivity: over the Internet, IX (public/private), MPLS VPN or VPLS (Ethernet)

No end-to-end MPLS VPN, break the VPN and use an IP-IP interface Hide your infrastructure (topology hiding), use {white, black}listing and make sure only the other carrier can talk to you Signalling/Media conversion (SBC) Remember – t h i s i s n ’ t w e b t r a f f i c – its termination money in both directions! UKNOF 5 : NGN VoIP : Neil J. McRae

34

Encryption / Authentication Do we want to introduce it ? V e n d o r X : “ W e a r e c o m p l i a n t ” . S u r e .

V e n d o r Y : “ I t ' s o n o u r r o a d m a p ” . Q 1 Y 3 1 3 3 7 ? V e n d o r Z : “ W h y d o y o u n e e d t h i s ? ” . Hmmmm... IPsec from CPE to VoIP core >Doable (recent HW with CPU or crypto card) >What about CPECPE RTP ? >Still within RTT / echo-cancellation window May actually do mobile deviceVoIP core >Bad guys can only attack the VPN concentrators >No impact on directly connected customers Still reliability issues in vendor implementations UKNOF 5 : NGN VoIP : Neil J. McRae

35

IMS Security – The Future IMS = IP Multimedia Subsystem Remember when the mobile operators built their WAP and 3G networks ?

>M o s t l y “ o p e n ” ( a k a t e r m i n a l i s t r u s t e d ) >E v e n c o n n e c t e d w i t h t h e i r “ i n t e r n a l ” / I T n e t w o r k IMS services with MVNOs, 3G/4G: overly complex architecture with tons of interfaces Large attack surface: registration/tracking servers, application servers, etc Firewalling: complex if not impossible

Next thing to try: Attack FixedMobile handover (GSMWiFi) UKNOF 5 : NGN VoIP : Neil J. McRae

36

Questions?


37