security model-of-sip-d2-05 at kishore

Alcatel-Lucent - Proprietary

A T KishoreJanuary 31st, 2008

“Security Model” of SIP

Alcatel-Lucent – Proprietary

All Rights Reserved © Alcatel-Lucent 2007

Agenda1. Security is Ever Pervasive

2. SIP is no exception

3. Introducing SIP CIA Model

4. ‘Always ON’

5. Call Flow Scenarios



Security is Ever Pervasive



Alcatel-Lucent’s resources are pioneers in the knowledge that drives security innovations

About Alcatel-Lucent Leadership and Expertise in Security

Patents and standardization: R&D leadership

Hundreds of patents in security, cryptography, biometrics, firewalls, denial of service and virus detectionITU Standards Visionary (X.805) then ISO 18028Major player in ITU-T SG 17 –Lead Study Group on Communication System SecurityCERT-IST operation, FIRST membership since 1999Bell Labs leadership in:

Creation of new cryptography (SHAZAM for CDMA2000, PAK)Breaking of old cryptography (PKCS#1, DSA, SOBER, Clipper)Development of optical-rate encryption ciphers and NSA-certified encryptors

Pioneering work in provable securityBiometrics (voice authentication with secured models)High-speed encryption hardware (e.g., for SANs)Integration of 802.11 and 3G AAAWatermarking



Building security into the DNA of complex systems

The Bell Labs Security FrameworkITU/X.805 Security StandardISO 18028 Security Standard

The Bell Labs Security FrameworkITU/X.805 Security StandardISO 18028 Security Standard

Infrastructure Services Applications

End User

Control / Signaling

Management

Layers

Planes

MODULE 1 MODULE 4 MODULE 7



Access Control

Authentication

Non-Repudiation

Data Confidentiality

Comms Security

Data Integrity Privacy

Availability (9 modules X 8 cells = 72 security cells)

Alcatel-Lucent Bell Labs Security FrameworkThe international standard to build secure-by-design communications solutions

THREATS

ATTACKS

Destruction

Disclosure

Corruption

Removal

Interruption



Viruses are just one part of a greater danger: cybercrime

Viruses are now used as ‘tools’ to:

Install backdoors

Steal identity data

Mount major attacks

Major attacks for rent

A menacing change

in attacker skill

and motivation

Security trendsHacker ‘professionalism’ on the rise

VirusVirusVirus

BackdoorBackdoorBackdoor

SPAMSPAMSPAM

Targetedattacks

TargetedTargetedattacksattacks

MajorattacksMajorMajor

attacksattacks

(ex: Autoproxy, Sobig)

(ex: Bugbear.b, Sobig)

Financial data theft

Financial Financial data data thefttheft

38 to 750 €75 €/week380 €0.35 €/bot0.15 €/bot

On-demand DDOS attack

20000 proxy for spam

Network of 500 bots (= zombies)

Exclusive access to a bot

Non-exclusive access to a bot

(source CLUSIF)

“Virus makers are becoming mercenaries.”



Web-based commerce

Regulatory Requirements & Homeland

Security

Attacks increasing in sophistication and impact

External and internal threats

and vulnerabilities

Need for privacy, reliability and

availability

Increasingly complex

technology

Security –The Jobs to do

Operational challenges, patch

management

Outsourcing and Application

Hosting



SIP is no Exception



Tackling SIP Security -General SIP servers

Execution phases for all incoming SIP messages:

Reception

Parsing computationally intensive for SIP!

Processing

Marshalling & transmission

Network socket buffer Network socket buffer

General multi-threaded SIP server

Parsing Processing

Parsing Processing

Parsing Processingthread

Depend on type of message and SIP element



Tackling Prioritizing SIP servers

Modifications:

Prioritization mechanism

Message priority queue

On-demand parsing during prioritization and processing

Network socket buffer Network socket bufferMessage priority queue

Prioritizing SIP server

Pre-parsing & prioritization

Pre-parsing & prioritization

Remainder parsing &

processing

Remainder parsing &

processing

Remainder parsing &

processing



Tackling SIP Security-Message processing stages

ProcessingParsingGeneral SIP server

SIP server with on-demand parsing Parsing on-demand during processing

Prioritizing SIP server with efficient parsing Parsing on-demand during processing

Parsing on-demand during prioritization

Queuing

Measured sojourn time (excluding network buffer)

Parse only what is strictly necessary in combination with an efficient header field recognition algorithm

Prioritization policies based on message characteristics, system state, and statistics



Tackling SIP Security-Prioritizing SIP server

Pre-parsing

Prioritizing

Processing

SIP devices

Service Provider

SIP server1

SIP servern

Drop

SIP messages

Policy

Dynamic adaptation to real-time conditions

Policy definition

Bell Labs Java SIP stack



All Corners Of Security Challenges

SIP Pressure of reducing operational costs &

Competition

Need to boost Market confidence in security of VoIP, XoIP transactions

Regulatory requirements

Hacking & other attacks



Introducing SIP CIA Model



The CIA Triad is a widely used information assurance model. It consists of:

ConfidentialityIntegrityAvailability

Confidentiality

Ensuring that information is accessible only by those who are authorized.

Integrity

Ensuring that information is pristine/unaltered/complete.

Availability

Ensuring that the Information is available as per the needs.

Keys, Values & Codes CIA model for SIP Security



Keys, Values & Codes CIA model for SIP Security


All Rights Reserved © Alcatel-Lucent 2007- 17 -

Session Universe-People, Processes and Enablewhare

SIP AS

Peop

le

Process

Technology

People• Awareness about

importance of SIP Security compliance

• Convergence mind set

Process• Feedback loops with automated

and interactive web based solutions to tie people, process and technologies together

SIP/IMS Technology• Adaptive Messages for

data gathering & analysis• Platforms, Subsystems• Databases



CIA model for SIP Security



The Model is ‘Always ON’



Two Parts to the Security Strategy

Value Prop – Create Revenue

a. Enhances the Trust Model

1. End-to-end security approach in NGN

2. A solution – not more point products

3. Centralize management for response

b. Lower the Opex of Security Management

1. Central event correlation manager

2. Central resource manager

Value Prop - Enhance the Brand

a. Different from the competition

b. Creates a foundation for “trustworthiness”

• Part One: Security Inside

Part Two: Keeping IT Secure

Protect the network, keep it “trustworthy”

Integrated to lower the opex of security

Centralized Security

Management



Enterprise Security Solutions

Systems IntegratorsSystems IntegratorsSystems IntegratorsNetwork service providers

Network service Network service providersproviders

Data/Converged VARS

Data/Converged Data/Converged VARSVARS

SIP is perhaps the latest and effective digital bridge of all knSIP is perhaps the latest and effective digital bridge of all known own bridges bridges

Nonstop Laptop guardianNonstop Laptop guardian

Pre/post admission control

Pre/post admission control

User AwareNetwork Security

Mobile Users SecurityKey Business Critical Application Security

Web ServicesGateway

Web ServicesGateway



Personal Call Manager

PECaBoo

Allege – WorkTrack/ Field Supervisor

Enterprise Applications



A Location-based Service Product from Bell Labs Research & Mobility/IN

A Location-based Service Product from Bell Labs Research & Mobility/IN

iLocator Features

A location-based track application / platform

Tracks people/events/places on a map

People: Track buddies within a vicinity

Events: Track if there is a sale or a traffic-jam nearby

Places: Display preferred shops, ATMs, gas stations, and restaurants in the user’s vicinity

Enables custom services targeting enterprises, families, govt.

For example, TeenTracker, FleetTracker, DirectionFinder

Supports SMS’ing from within the application

Works across network types, location techniques, handsets



Consumer Applications >> Data Messaging

PhonePages PeCaBoo

A phonepage is a light-weight home page added to your phone number

Subscribers push their pages to callers and receive pages on calls from other subscribers

Drives data session usage by letting subscribers surf during and after calls

Servicesused

Multiparty Call Control

User Interaction (WAP Push, SMS)

Displays in connection with phone calls

Different features at different events (for example, calling, rejected, busy)

Displays in multiple formats (for example, WAP, SMS, e-mail, etc.)



Enterprise Applications >> Data Messaging

EWay

Provides remote and secure access to enterprise networks for mobilizing and telecom-enabling enterprise IT applications and systems

Supports communication capabilities such a messaging, call management, content charging, presence and availability management, and universal service access through, web, WAP and interactive voice

Servicesused

Call Control

User Interaction

Mobile internet and IVR access to MS Exchange and Outlook

Outbound call management with click- to-dial and voice activated dialing from contact lists



Consumer & Enterprise Applications

Fuzion

End-users specify personal preference to manage their communication needs.

Ability to define personal profile (at home, office, travel, can be reached at, etc) and instruct the system to handle incoming calls for call routing, call screening and notification treatment

Supports Personal communication portal (PCP) for personal address book, calendar, messages storage via Web, WAP and Voice interfaces

Servicesused

Call Control

User Interaction



Edge Protection

• Deployed at the edge of your network as your first line of defense• Provides Multi and Blended threat security along with securing VOIP• Protects critical VOIP (H.323, SIP) resources from attacks



SIP Security and Value

Your Text hereYour Text hereYour Text hereYour Text here

Value

Flexibility

Innovation

Focused approach on key areas where SIP Security can bring value through:

Innovation By virtue of being a open protocol, it paves way for innovation

Flexibility of deployment choices, modularity and openness (ecosystem)

User AwareNetwork Security

Most flexible solution to allow user pre and post admission control

Mobile Users Security

Unique solution solving the mobile blind spot

Key Business Critical Application Security

Industry first to provide stateful policy enforcement across organization



The Alcatel-Lucent VPN Firewall - Made forGlobal Scalability

ExistingRouter

ExistingRouter

ExistingRouter

ExistingRouter

ExistingRouter

ExistingRouter

ExistingRouter

ExistingRouter

ExistingRouter

ExistingRouter

ExistingRouter

ExistingRouter

ExistingRouter

ExistingRouter

ExistingRouter

ExistingRouter

ExistingRouter

ExistingRouter

ExistingRouter

ExistingRouter

VLAN 100Extranet Server

VLAN 200SAP Server

VLAN 300Mail Server

VLAN 400Public Server

IP Network

Centralized Management With ALSMS

Managed Service Clients

Data CenterServices

Core B

Core AActive/ActiveManagement

ALSMS

ALSMS

VPN FirewallBrick® 1100

VPN FirewallBrick® 50-150



ExistingRouter

ExistingRouter

ExistingRouter


ExistingRouter


Customer ACustomer B Customer C

ALSCS

ALSCS



Technology• ALVF with SRM/PDG/RBR

• Evros

• CloudControl

• Vital ISA (SEM)

• Vital AAA/QIP/Endforce

• AWARE

• Identity Management

• Security Prof Services

• Managed Security Services

The Alcatel-Lucent Security Portfolio in the Enterprise

Network Cloud

Alternate Data Center

Mobile Workforce

Consultants

Global OfficesHeadquarters

Primary Data Center

SOC - 24X7

Manufacturing Center



www.alcatel-lucent.com



Security in Call Scenarios



Applications - Reach Me “AnyWare”

Jacques owns a Real Estate Agency and wants to be reachable for (important) clients any time, anywhere – independent of the network

he is connected to.

Jacques owns a Real Estate Agency and wants to be reachable for (important) clients any time, anywhere – independent of the network

he is connected to.

Jacques(Owner)

Home in Evry

Office in Sorbonne(1pm – 5pm)

Main Office in Concorde(8am – 12pm)

Jacques’ MobilePhone

Pierre - lessimportant client

Michelle -important client

He wants to use his convenient, high-quality wireline phones whenever he is in the office or at home

He uses his mobile phone when he is traveling

He wants to be reached at his current location, whether the caller dialed his office, home, or mobile number

He sometimes must change his regular schedule/preferences to serve important clients



Encryption

Symmetric

Encryption and decryption use the same key

Key must be secret (secret key)

Best known: DES, AES, IDEA, Blowfish, RC5

Symmetric Encryption used for

Payload encryption (ESP)

Packet authentication (AH & ESP)

Asymmetric Encryption used for

Initial peer authentication in IKE

Key exchange in IKE

Asymmetric

Also known as Public Key Encryption

Encryption and decryption keys are different

One key is public the other is private



Conventions



Symmetric Encryption



Asymmetric Encryption

Two complementary keys

Private key (kept secret – usually protected by passphrase)

Public key (published) – Problem: Authenticity

Basic Premises

Keys are not computable from each other

Encryption with one key can only be reversed with the other key

Best known examples

RSA & ECC, DSA for signatures

Used in

(Open)PGP (Pretty Good Privacy) for digital signatures and encryption

PKI (Public Key Infrastructure) – e.g. certificates for web servers & SMIME

RSA Rivest Shami Adleman, ECC – Eliptic Curve Cryptography, DSA – Digital Signature Algorithm



Asymmetric Encryption cont’d



Hash Functions

Hash Functions

Produce hash values for data access or security

Hash value: Number generated from a string of text

Hash is substantially smaller than the text itself and typically fixed length

Basic Premises:

Unlikely that other text produces the same hash value (collision resistance)

Unidirectional (cannot calculate text from hash)

Provides: Integrity & Authentication

Best known: SHA-1 & MD5

SHA – Secure Hash Algorithm, MD5 – Message Digest

•Example:

•$ echo The quick brown fox jumps over the lazy dog. | md5sum

•0d7006cd055e94cf614587e1d2ae0c8e *-

•$ echo The quick brown fox jumps over the lazy dog! | md5sum

•54828ad41cf232a5c374689e2f06d3af *-



Hash Functions cont’d



Certificate creation



SSH-2 Protocol Stack & Connection establishment

SSH-2 comprises of multiple flexible hierarchical protocols.

TCP/IP

SSH Transport Layer Protocol (SSH-TRANS)

SSH Authentication Protocol (SSH-AUTH)

SSH Connection Protocol (SSH-CONN)

SSH File TransferProtocol (SSH-SFTP)

Connection Establishment

1. SSH-TRANS – Authenticates host and does the initial key negotiations

2. SSH-AUTH – Authenticates user via flexible methods - Optional

3. SSH-CONN – Channel based services layer for – multiple channels simultaneously

4. SSH-SFTP – For remote file operations – Specific applications



Summing UP1. Security is Ever Pervasive

2. SIP is no exception

3. SIP CIA Model

4. The ‘Always ON’ Model at Work

5. Call Flow Scenarios with built in SIP Security



www.alcatel-lucent.com

security model-of-sip-d2-05 at kishore

Documents