NGN Architectures, VoIP Security and. Protocols. UKNOF 5 25/10/06. Neil J.
McRae –Director of Network Architecture. Nico Fischbach –Head of Network ...
Exceed with COLT NGN Architectures, VoIP Security and Protocols UKNOF 5 25/10/06 Neil J. McRae – Director of Network Architecture Nico Fischbach – Head of Network Security COLT Telecom Group FOR INTERNAL USE ONLY
Agenda
What is VoIP? VoIP Architectures VoIP Protocols & Security Concerns Questions
UKNOF 5 : NGN VoIP : Neil J. McRae
COLT and VoIP COLT Telecom > Voice, Data and Managed Services, Tier 1 ISP in EU > 14 countries, 60 cities, 50k business customers > 20 000 km of fibre across Europe + DSL V o I P “ e x p e r i e n c e ”
> 3 major vendor directions – O n e “ w e ' r e c o m i n g f r o mt h e T D Mw o r l d ” – O n e “ w e ' r e c o m i n g f r o mt h e I P w o r l d ” – O n e “ w e ' r e a V o I P c o m p a n y ” > Internet and MPLS VPN-based VoIP services > Own network (fiber + DSL) and wDSL > Going MSPP + VoIP NGN + IMS – TDM scaling issues UKNOF 5 : NGN VoIP : Neil J. McRae
3
What is VoIP? The Customer Viewpoint
Computer with softclient (SIP or Skype)
(((
Hardphone (analog or SIP or Skype)
((( o ))) wAP (+ SIP)
UKNOF 5 : NGN VoIP : Neil J. McRae
Internet
4
Hosted IP PBX
TDM PSTN
PRI (ISDN over E1) PBX
Voice Switch
POTS
PBX could be IP-enabled with IP phones on LAN
VoIP/ToIP
TDM PSTN
TDM PSTN
Voice Switch
IP PBX
Voice Switch
IP PBX
UKNOF 5 : NGN VoIP : Neil J. McRae
S B C
F W
Internet H.323/RTP
MPLS H.323/RTP
CPE NAT
CPE No NAT
5
PBX Trunking over IP
TDM PSTN
PRI (ISDN over E1) PBX
Voice Switch
POTS VoIP/ToIP
DTMF H.323(/MGCP) Softswitch
PBX
MGCP
TDM PSTN
Voice Switch
MGW
RTP
64kUR (PBX Mgmt)
F W
Internet H.323(/MGCP)/RTP
CPE No NAT T.38 (FAX)
UKNOF 5 : NGN VoIP : Neil J. McRae
6
Wholesale VoIP
TDM PSTN
Voice Switch
PRI (ISDN over multiple E1s or STM-1s)
Voice Switch
TDM PSTN
POTS VoIP/ToIP SIP Softswitch MGCP
TDM PSTN
Voice Switch
MGW
RTP
S B C
Internet SIP/RTP
H.323/RTP
Other Carrier VoIP Core
MGW
UKNOF 5 : NGN VoIP : Neil J. McRae
7
Softswitch Architecture (Intermediate Architecture)
COLT or 3rd party TDM/SS7 Networks
Softswitch (Call Control, Signalling GW, Media GW Control, Subscriber Database and Voice Applications)
Session Border Control
COLT or 3rd party IP Network
Media Gateway
End Users
Management and Provisioning
End Users
> Softswitch: it combines the Call Control, the Signalling Gateway and the Media Gateway Control function. Together with the Media Gateway function it provides signalling and media inter-working with the legacy TDM voice network. The intelligence of the system (call control functionality) as well the customer database resides within the softswitch function. > Session Border Control: it provides secure access control to the customer appliances and mediates between the COLT IMS and any 3rd party IP network > Management and Provisioning: it is an integrated OSS platform that allows end to end provisioning and management across the technology components.
UKNOF 5 : NGN VoIP : Neil J. McRae
IMS Architecture (Target Architecture) IMS Application Layer
COLT or 3rd party TDM/SS7 Networks
End Users
Interworking with TDM Voice Network
Core SIP Call Control
Customer Profile Database
Management and Provisioning
Session Border Control
COLT or 3rd party IP Network
End Users
>
Interworking with TDM Voice Network: it provides signalling and media inter-working with the TDM voice network
>
Core SIP Call Control: it is a set of SIP enabled devices that control the flow of SIP messages between the customer appliances (IP phones, soft phones, wireless handhelds) and the rest of the IMS components
>
Customer Profile Database: it contains the user identity and the user service profile, providing session authentication and access to service applications
>
Session Border Control: it provides secure access control to the customer appliances and mediates between the IMS and any 3rd party IP network
>
Application Layer: it provides the service logic, with a set of Application Servers dedicated to specific services (eg an IP Centrex AS for telephony services, a Mobility AS for FMC integration, a Messaging AS for unified messaging and presence services)
>
IMS Management and Provisioning: it is an integrated OSS platform that allows end to end provisioning and management across the IMS technology components.
UKNOF 5 : NGN VoIP : Neil J. McRae
Softswitch Architecture – Logical Level 1
Direct VoIP Traffic
2
Indirect VoIP Traffic
3
Indirect TDM Traffic
Softswitch Application Layer
Call Control
Media Signalling AA
ISUP
MGCF
Subscriber DB
Legacy Apps
SGW
Voice Apps
NGIN
3
3rd
party TDM/SS7 Networks
TDM
MGW
Media Gateway
RTP Proxy
Session Border Control
H.323 / SIP
ALG
RTP
3rd party IP Networks RTP
UA
H.323 / SIP, RTP
H.323 / SIP
2
H.323 / SIP
COLT NGN Transport Network RTP
H.323 / SIP
1
UA
UKNOF 5 : NGN VoIP : Neil J. McRae
UA ALG MGW MGCF SGW NGIN
User Agent Application Layer Gateway Media Gateway Media Gateway Ctrl Function Signalling Gateway Next Gen IN
IMS Architecture – Logical Level 1
Direct VoIP Traffic
2
Indirect VoIP Traffic
3
Interworking with TDM Voice Network
Indirect TDM Traffic ISUP
Media Signalling AA
NGIN
AS
Application Layer
SGW Diameter
SIP
SIP
MGCF
CSCF
Diameter
HSS
3
3rd party TDM/SS7 Networks
PCM
SIP
MGW RTP Proxy
Core SIP Call Control
SIP ALG
Customer Profile Database Session Border Control
RTP
3rd party IP Networks RTP
SIP
UA
SIP, RTP
2
NGN Transport Network RTP SIP
UA
UKNOF 5 : NGN VoIP : Neil J. McRae
SIP
1
UA I-BGF A-BGF CSCF HSS
User Agent I/C-Border Gw Function Access-BGF Call/Session Ctrl Function Home Subscriber Server
MGW MGCF SGW AS NGIN
Media Gateway Media Gateway Ctrl Function Signalling Gateway Application Server Next Gen IN
VoIP Core Network Architecture with Security
Billing
WEB
DB
F W
H.323/RTP CPE
FW IP PBX IP PBX
S F B W C
IP / MPLS PBX
SBC H.323/MGCP/RTP
Softswitch MGW
MGW
TDM / PSTN
CPE
F W
S B C
MGW
UKNOF 5 : NGN VoIP : Neil J. McRae
SIP/RTP
Carrier
Internet H.323/RTP
Carrier
12
Nortel Voice Services
SIP or SIPT
Network Signalling
CS2000
USP LPP
SS7
CS2000 GWC
• Lawful Intercept • Conferencing • Announcements
H.248
M3UA/SCTP
Centrex IP Client Manager (CICM)
CS LAN
Back Office
H.248
IEMS SIP
Element Management
PSTN
MS2010
MG15K
Firewall NAT/NAPT
Cable
IP Network
NCS
SIP
CMTS
H.323
SIP UNIStim
HF C
SIP
PBX
Derived Lines CPE IAD
xDSL IAD DSLAM
UKNOF 5 : NGN VoIP : Neil J. McRae
Video Feed
Hosted PBX
MGCP
Centrex IP
PC i2004 Softclient Etherset
BCP (RTP Media Portal)
MGCP
H.248
Session Server Lines
Cable Modem
Huawei MM - Meeting Conference
IP Centrex
GTAS9900 GTAS
MM - PS Presence
iManagerN2000 NMS
MM - Messaging IM
HSS9820 HSS
Application Layer SIP CSC3300 S-CSCF
CSC3300 BGCF CSC3300 P-CSCF
Session Control Layer
SIP
CSC3300 I-CSCF
iCG9815 CCF
MRS6200 MRF
SE2000 SBC
SIP
SoftX3000 AGCF/MGCF/MGC
Other Carrier
SG7000 SG
SS7
Managed IP Core
UMG8900 SIP IAD IP-Phone
MGW
H.323 IP-PBX
IAD IP-Phone
Access Layer
UKNOF 5 : NGN VoIP : Neil J. McRae
IP-PBX
PRI
SS7
E1
PBX
PSTN
Alcatel 8965 CCCS
1300 CMC
X1
X1
8628 MMIC App Server X1
DPNSS Gateway
8690 OSP App Server 8640CMM -8675 LNP X1
X 10 – UK Only
5020 CSC
5020 MGC
X7
X1
Convedia Media Server
1357 LI X1
X1
5020 SLS X2
Access Border Gateway X 339 total
75xx TGW
Intercept Manager
7510 = 3 7515 = 10
In-Country SITE
QSIG Gateway(s) X 5 per country
UKNOF 5 : NGN VoIP : Neil J. McRae
X 1 per country
Ericsson IMS control SCP
HSS
Access Gateway Control Function (AGCF) PSTN/ISDN Emulation Service
Feature Server
TeS
RSS
IUA
H.248 (AGW)
TDM
PBX
Media Gateway Control Function (MGCF)
ISC ~SIP SIP
CSCF
H.248
TeS
SIP SIP
SIP
TDM
Feature Server
Diameter
AGC
Q.931
EAR
Presence Server
Telephony Softswitch
V5.2
IP Centrex Broadband telephony
MGC/ Telephony SGW Softswitch
SIP
ISUP
MRFC H.248
MRFP
MPLS/ IP
MGW
SIP/ H.323
H.248
CCS
PBN Telephony RTP
MGW
PSTN
RTP
MSAN
D S L
A-SBG
Broadband access Router/ BRAS
IAD SIP+RTP
UKNOF 5 : NGN VoIP : Neil J. McRae
RTP
N-SBG SIP/H.323 VoIP
Cisco Application Server
Billing & Measurement
ISC COLT STP
I P T
Presence Engine
COLT PSTN
PGW
CSCP-SE
Cx Sh
HSS
MGW FWSM SBC
SIP-T SIP
SIP/H.323 Interconnect Carrier
SIP
MGCP
SIP
MGCP
SIP
CSCP-EP Reseller
SIP / H.323 IP PBX
COLT IP PBX
BRI PRI
BRI Q.SIG
PRI DPNSS
SIP end-devices
Carrier VoIP Service
COLT VoIP Reseller
COLT Voice Gateway
COLT IP-PBX
UKNOF 5 : NGN VoIP : Neil J. McRae
COLT Total
COLT Voice Integrate
Lucent VitalQIP
Lucent Communication Manager
DNS / ENUM, DHCP
Beyond Other SIP Applications
Colibria Kodiak Polycom.
Lucent Presence Server
Lucent AnyPath
Lucent FS 3000
USDS / DF
SurePay
HSS, HLR, AAA
CCF, OCS
Lucent SM S-CSCF
BGCF
I-CSCF
Lucent NC MGCF SGF
P-CSCF
Audiocodes IPMedia 2000
ETSI ISUP v2 (M2UA)
Media Server
IP Core Lucent CS
Working Alternative
Acme
Acme Packet Packets Net-Net SD
S/BC
PRI Gateway
SCP STP Existing COLT TDM Switch
SIP SIP
Legacy PBX
INAP
Lucent MG NG
E1 IMT ETSI ISUP v2
Access Network SIP IAD
PTT
H.323
IADs, ATAs, SIP Hard and Soft Phones
UKNOF 5 : NGN VoIP : Neil J. McRae
H.323 IP PBX
Sonus
IMX – Open Applications Server/ Broker
OSPA Enhanced Services
G S X 9 0 0 0 ™ Open Services Switch PSTN/ PLMN
Packet Network
S o n u s I n s i g h t ™ Management System Provisioning, Billing and Monitoring G S X 4 0 0 0 ™ Open Services Switch PSTN/ PLMN
G S X 9 0 0 0 ™ Network Border Switching Function Packet Network
PSX - Routing Server ASX SGX - Signaling Gateway VoBB Access Class 5 Services
UKNOF 5 : NGN VoIP : Neil J. McRae
Packet Network
VoIP Protocols H.323 > ITU, ASN.1, CPE/PhoneGatekeeper
> H.225/RAS (1719/UDP) for registration > H.225/Q.931 (1720/TCP) for call setup > H.245 (>1024/TCP – or over call setup channel) for call management MGCP (Media Gateway Control Protocol) > IETF, Softswitch (CallAgent)MGW > CallAgents->MGW (2427/UDP) > MGW->CallAgents (2727/UDP) > Used to control MGWs > AoC (Advice Of Charge) towards CPE - **
UKNOF 5 : NGN VoIP : Neil J. McRae
20
VoIP Protocols SIP >IETF, HTTP-like >Session based – Does anyone here not know what SIP is? :D RTP >Media stream (one or one per direction) >CODECs (G.711{a,u}, G.726, G.729(a)) >RTCP: control protocol for RTP
>SRTP: Secure RTP (w/ MiKEY) >Often 16000+/UDP or default NAT range, but can be any UDP>1024 >Can be UA U Aa k a “ F r e e Intersite” or UAMGWUA UKNOF 5 : NGN VoIP : Neil J. McRae
21
H.323 versus SIP > The majority of current COLT VoIP products is based on H.323 > This is mainly owing to missing functionality on SIP > Questionable interoperability and scalability concerns still exist though (10s of billions of minutes) > SIP not expected to completely replace H.323 in the mid/long term. > Protocols are somewhat complementary- no religion here though! > More detail on the differences
> and more insight on understanding of our direction at: > http://www.packetizer.com/voip/h323_vs_sip/ > This is expected to change over time UKNOF 5 : NGN VoIP : Neil J. McRae
Session Border Controller What the role of an SBC ?
>Security >Hosted NAT traversal (correct signalling / IP header) >Signalling conversion >Media Conversion >Stateful RTP pin-holing based on signalling Can be located at different interfaces: Customer/Provider, inside customer LAN, Provider/Provider (VoIP peering)
What can be done on a FW with ALGs ? What can be done on the end-system ? Is there a need for a VoIP NIDS (especially with SIP-TLS)? UKNOF 5 : NGN VoIP : Neil J. McRae
23
VoIP Hardware Mix of software and hardware (mostly DSPs) >Softswitch: usually only signalling >MGW (Media Gateway): RTPTDM, SS7oIPSS7 >IP-PBX: Softswitch+MGW Operating systems >Real-time OSes (QNX/Neutrino, VxWorks, RTLinux) >Windows >Linux, Solaris Poor OS hardening Patch management:
>OSes not up-to-date >N o t “ a l l o w e d ” t o p a t c h t h e m UKNOF 5 : NGN VoIP : Neil J. McRae
24
Security Challenges VoIP protocols >No, VoIP isn't just SIP >SIP is a driver for IMS services and cheap CPEs
>H.323 and MGCP (still) rock the carrier world Security issues >VoIP dialects >Only a couple of OEM VoIP stacks (think x-vendor vulnerabilities) >FWs / SBCs: do they solve issues or introduce complexity ? >Are we creating backdoors into customer networks ?
>CPS and QoS UKNOF 5 : NGN VoIP : Neil J. McRae
25
One more backdoor? « Executive floor » WLAN AP
« IT floor » Internet access r
ap
fw cpe
r s
External laptop
Internet
r
r cpe r s
s
fw av as p
Remote maintenance
Corporate Internet access
CPE
ar
VoIP
Vendor Office
Remote office/ Partners IP VPN
UKNOF 5 : NGN VoIP : Neil J. McRae
Partner
IP PBX Shared TFTPd
Customer B Customer C
26
VoIP Dialects No way to firewall / ACL (especially if non-stateful) based on protocol inspection Vendors who never heard of timeouts and don't send keep-alives Result : > Clueful: –Permit UDP
> Half clueful: –Permit UDP 1024> any
> Clueless: –Permit UDP any any
End-result: > 0wn3d via exposed UDP services on COTS systems > Who needs RPC services (>1024/UDP) ?
UKNOF 5 : NGN VoIP : Neil J. McRae
27
Lawful Intercept >Re-use existing solutions: TDM break-out >Install a sniffer (signalling & media stream) >Re-route calls (but hide it in the signalling) >Eavesdropping not a real threat (own network) >Enterprise network : Needs to be a part of a global security strategy – How many have this? – Clear text e-mail – Clear text protocols (HTTP, Telnet, etc) – VoIP – Etc >VoIP over WLAN easy.
UKNOF 5 : NGN VoIP : Neil J. McRae
28
Phones and Terminals IP Phones Reliability > Quite easy to crash (weak implementation)
TCP/IP
stacks and buggy software
> Mostly an insider threat – How clueful is your cleaner? – DHCP server – TFTP server (phone configuration) – Credentials (login + PIN) – Fraud issues. VoIP doesn't mean that you need to move to IP Phones > PBX with E1 (PRI/BRI) to router and then VoIP > PBX with IP interface towards the outside world (but do you really want to put your PBX on the Internet) ? > Means that you have to maintain two separate networks, but “ s o l v e s ” t h e QoS issues on a LAN > What about soft clients ?! – All the usual Unix/Windows issues.
UKNOF 5 : NGN VoIP : Neil J. McRae
29
Denial of Service Generic DDoS > Not a real issue, you can't talk to our VoIP Core – ACLs are complex to maintain use edge-only BGP blackholing
> We are used to deal with large DDoS attacks :) – http://www.securite.org/presentations/ddos/
DoS that are more of an issue > Generated by customers: not too difficult to trace (IT Clue)
> Protocol layer DoS : H.323 / MGCP / SIP signalling – Replace CPE / use soft-client – Inject crap in the in-band signalling (MGCP commands, weird H.323 TPKTs, etc)
– Get the state machine of the inspection engine either confused or in a block-s t a t e , i f l u c k y f o r t h e “ s e r v e r ” a d d r e s s e s a n d n o t t h e clients – Vendors not really thinking about this. UKNOF 5 : NGN VoIP : Neil J. McRae
30
Security Challenges Online services >Call Management (operator console) >IN routing (Fraud potential)
>Reporting / CDRs Security issues >Multi-tenant capabilities
>Have the vendors ever heard of web application security ? >Who needs security or lawful intercept if a kid can route your voice traffic via SQL injection WebApp FWs are really required...
UKNOF 5 : NGN VoIP : Neil J. McRae
31
Security Challenges TDM / VoIP : two worlds, two realms, becoming one ? >S e c u r i t y b y “ o b s c u r i t y ” / c o m p l e x i t y vs the IP world >Fraud detection Security issues >New attack surface for legacy TDM/PSTN networks
>No security features in old Class4/Class5 equipment >No forensics capabilities, no mapping to physical line >Spoofing and forging
>People: Voice Engineers vs Data Engineers vs Security engineers. Engineering vs Operations. Marketing vs Engineering. Conflicts and Time-to-Market UKNOF 5 : NGN VoIP : Neil J. McRae
32
Operational Concerns VoIP is damn complex
Only way to debug most of the issues: VoiceEng + IP/DataEng + SecurityEng on a bridge/online chat Requirement: be able to sniff all traffic Tool: Ethereal/Wireshark Attacker: Just use any of the protocol decoder flaw in the sniffer
Make sure your sniffers are on R/O SPAN ports, in a DMZ which only allows in-bound VNC/SSH Do not underestimate the effort on a multi Country setup – What is EU?!
If the guy is really good and can upload a rootkit over RTP: get his CV and offer him a job – you need this guy – serious skills shortage UKNOF 5 : NGN VoIP : Neil J. McRae
33
VoIP Carrier Interconnect A k a “ V o I P p e e r i n g ” / C a r r i e r i n t e r c o n n e c t Already in place (TDM connectivity for VoIP carriers/Skype{In, Out}) Connectivity: over the Internet, IX (public/private), MPLS VPN or VPLS (Ethernet)
No end-to-end MPLS VPN, break the VPN and use an IP-IP interface Hide your infrastructure (topology hiding), use {white, black}listing and make sure only the other carrier can talk to you Signalling/Media conversion (SBC) Remember – t h i s i s n ’ t w e b t r a f f i c – its termination money in both directions! UKNOF 5 : NGN VoIP : Neil J. McRae
34
Encryption / Authentication Do we want to introduce it ? V e n d o r X : “ W e a r e c o m p l i a n t ” . S u r e .
V e n d o r Y : “ I t ' s o n o u r r o a d m a p ” . Q 1 Y 3 1 3 3 7 ? V e n d o r Z : “ W h y d o y o u n e e d t h i s ? ” . Hmmmm... IPsec from CPE to VoIP core >Doable (recent HW with CPU or crypto card) >What about CPECPE RTP ? >Still within RTT / echo-cancellation window May actually do mobile deviceVoIP core >Bad guys can only attack the VPN concentrators >No impact on directly connected customers Still reliability issues in vendor implementations UKNOF 5 : NGN VoIP : Neil J. McRae
35
IMS Security – The Future IMS = IP Multimedia Subsystem Remember when the mobile operators built their WAP and 3G networks ?
>M o s t l y “ o p e n ” ( a k a t e r m i n a l i s t r u s t e d ) >E v e n c o n n e c t e d w i t h t h e i r “ i n t e r n a l ” / I T n e t w o r k IMS services with MVNOs, 3G/4G: overly complex architecture with tons of interfaces Large attack surface: registration/tracking servers, application servers, etc Firewalling: complex if not impossible
Next thing to try: Attack FixedMobile handover (GSMWiFi) UKNOF 5 : NGN VoIP : Neil J. McRae
36
Questions?
UKNOF 5 : NGN VoIP : Neil J. McRae
37