Post on 17-Sep-2018
Die Zukunft der Die Zukunft der Kommunikationsdienste
im Internet –Möglichkeiten und Risiken
E i P R th b
Möglichkeiten und RisikenErwin P. RathgebTechnik der Rechnernetze, Universität Duisburg-Essen
Jochen Kögel Marc BarischJochen Kögel, Marc BarischIKR, Universität Stuttgart
Steffen FriesSteffen FriesSiemens AG, Corporate Technology
OverviewOverview
New service opportunities lead to new security threats– Telephony as an example
A more general view A more general view– What makes services vulnerable?– What has to be done?
Generic solutions instead of protocol extensions– Example identity management
Do we get a second chance? Do we get a second chance?– The Future Internet
Zukunft der Netze 2009, 2, RgCommunication services in future networks – Opportunities and threats
Unfortunately there are many services/applications –How to secure all of them?How to secure all of them?
Zukunft der Netze 2009, 3, RgCommunication services in future networks – Opportunities and threats
http://de.wikipedia.org/wiki/Bild:WorldWideWebAroundWikipedia.png
Service example: Telephony –PastPast
Zukunft der Netze 2009, 4, RgCommunication services in future networks – Opportunities and threats
Service example: Telephony –Past presentPast, present
Zukunft der Netze 2009, 5, RgCommunication services in future networks – Opportunities and threats
Service example: Telephony –Past present and futurePast, present and future
VoIP using SIPGlobal calls,
no addition fees(Internet flat rate)
Bulk calls for free SPIT
With SIP Infrastructure Without SIP InfrastrWith SIP Infrastructure(e.g. Asterisk, IMS)
Without SIP Infrastr.(P2P)
SIP RegistrarHelps to locate the called
Caller has to know/find
Global accessto home account
- Helps to locate the calledSIP client in the Internet
- Provides access for toll calls- Provides account for billing
current location and IDof called SIP clientUnauthorized access
Toll Fraud
Zukunft der Netze 2009, 6, RgCommunication services in future networks – Opportunities and threats
g
SIP security threats –Registration hijacking and toll fraudRegistration hijacking and toll fraud
sip:201@private_server.deOutgoing toll call
Outgoing toll call
private_server.deInternet
provider_server.de
Register as201@private_
server.de
Register as456@provider_
server.de
Register as456@provider_
server.de
sip:456@provider_server.de
Zukunft der Netze 2009, 7, RgCommunication services in future networks – Opportunities and threats
p @p _
Experimental system to study SIP threats –SIP Honeypot systemSIP Honeypot system
Attacks
? HoneyWall?ExtendedAsterisk
V IP
Analysis
VoIP server
AnalysisManagement
Zukunft der Netze 2009, 8, RgCommunication services in future networks – Opportunities and threats
SIP Honeypot System –Evaluation studyEvaluation study
Short field test– Duration about 2 months
VoIP Honeypot VoIP Honeypot– Accepting and logging incoming calls from the internet– Handling and logging Register attempts– Honeypot was found and attacked
• No further publishing activity required Publication of one specific SIP URI on web site Publication of one specific SIP URI on web site
– SIP URI was found and attacked
Zukunft der Netze 2009, 9, RgCommunication services in future networks – Opportunities and threats
SIP Honeypot System –ResultsResults
3
3,5
1 5
2
2,5
0,5
1
1,5
0
0.07
.200
8
7.07
.200
8
3.08
.200
8
0.08
.200
8
7.08
.200
8
4.08
.200
8
1.08
.200
8
7.09
.200
8
4.09
.200
8
20 27 03 10 17 24 31 07 14
Number of registration hijacking attempts per day
Zukunft der Netze 2009, 10, RgCommunication services in future networks – Opportunities and threats
SIP Honeypot System –ResultsResults
Scan for active extensions– Duration 2 to maximum 30 seconds– Different scan patternsDifferent scan patterns
• Scan all extensions from 101 to 900• Scan specific intervals
S f t (i f i fi t )• Scan for common account names (info, service,…, first names)– Result: list of active extensions
Password scan Password scan– Only performed in some cases– Between 5 and 90 attempts per active extension
Diff t tt– Different scan patterns• Numbers (e.g. extension number)• Dictionary attacks
Zukunft der Netze 2009, 11, RgCommunication services in future networks – Opportunities and threats
y
SIP Honeypot System –Specific attack tools already availableSpecific attack tools already available
Port ScanFabricate andFabricate and
manipulate SIP packets
svmapScan for SIP servers
Fingerprintingg p g
svwarScan for active
extensionsextensions
svcrackPassword scan
Zukunft der Netze 2009, 12, RgCommunication services in future networks – Opportunities and threats
Password scan
State of the internet security reloaded –Malware SPAM and PhishingMalware, SPAM and Phishing
350
400 Identifiedattacks
Suspiciousactivities
120
140
200
250
300
350
Alarms
attacks
60
80
100
er o
f mai
ls
50
100
150
200Warnings
0
20
40
60
num
b
0
50
9-Feb
12-Feb
15-Feb
18-Feb
21-Feb
24-Feb5-M
ar9-M
ar14
-Mar
17-M
ar25
-Mar
28-M
ar31
-Mar
4-Apr
7-Apr
10-A
pr
0
01.0
1.06
31.0
1.06
15.0
2.06
02.0
3.06
17.0
3.06
01.0
4.06
16.0
4.06
01.0
5.06
16.0
5.06
31.0
5.06
15.0
6.06
30.0
6.06
19.0
7.06
08.0
8.06
23.0
8.06
07.0
9.06
22.0
9.06
07.1
0.06
22.1
0.06
06.1
1.06
21.1
1.06
06.1
2.06
21.1
2.06
05.0
1.07
Each computer attached to the internet– Is discovered immediately– Is permanently under attack
Most attacks are fully automated
SPAM and Phishing are omnipresent– Difficult to protect mail addresses– SPAM doesn‘t stop once it began
Used mainly for fraud and phishing
Zukunft der Netze 2009, 13, RgCommunication services in future networks – Opportunities and threats
– Most attacks are fully automated – Used mainly for fraud and phishing
Existing and new threats –Very similar patternsVery similar patterns
Basically the same situation as for malware and SPAM– Malicious activity already present– Low cost, bulk delivery, ubiquitous connectivity, full automationLow cost, bulk delivery, ubiquitous connectivity, full automation
• Attractive basis for fraud and phishing– Low risk for the attacker
All i f ti l t f b kt ki b f d• All information relevant for backtracking can be forged• Compromised hosts can be used
– Open source tool boxes readily available on the internetp y Escalation of the problems can be expected
– Increasing penetration of SIP telephony attracts attackersP2P d SIP ( ENUM) k SPIT i– P2P mode SIP (e.g. ENUM) make SPIT easier
– Home servers with SIP Registrar functionalitylet vulnerabilities for toll fraud explode
Zukunft der Netze 2009, 14, RgCommunication services in future networks – Opportunities and threats
What has been done –SIP Security Landscape
SIP – inherent signaling security measures for
SIP Security Landscape
Extensions/Updates (examples)SIP – inherent signaling security measures for client/server and server/server communication:
- HTTP Digest Authentication (mandatory)
Extensions/Updates (examples)– Enhancements to Authenticated
Identity Management (RFC4474) and Connected Identity in SIP
- TLS to provide cryptographic protection of TCP data (mandatory for server, recommended for clients)
- IPSec to provide cryptographic protection (optional)
and Connected Identity in SIP (RFC4916) for asserting identity of communicating peers
– Certificate Management Service gfor SIP (draft-ietf-sip-certs), for providing credential handling for clientsM i Cli t I iti t d
SIP Proxy A SIP Proxy B
– Managing Client Initiated Connections in SIP (draft-ietf-sip-outbound), and Connection Reuse in SIP (draft-ietf-sip-connect-
End-to-End security for signaling data using S/MIME for authentication integrity protection and confidentiality (opt )
Client BClient A
in SIP (draft ietf sip connectreuse) for re-using TLS connections between peers
– …
Zukunft der Netze 2009, 15, RgCommunication services in future networks – Opportunities and threats
authentication, integrity protection and confidentiality (opt.)
What has to be done –Security measures in SIP VoIP deploymentsSecurity measures in SIP VoIP deployments
Home Domain Provider Domain Authentication of users towards SIP servers
Voice Server
SIP, RTP
Authentication of users towards SIP servers – Currently mainly passwords, certificate based
authentication is less deployed Authentication of SIP server towards user
SBCDSL
LAN, ATM, etc.
Authentication of SIP server towards user – Certificate based as part of TLS supported
Confidentiality and integrity protection of signaling information
VPN connection
– Starting via TLS (or IPSec in 3GPP) – Not necessarily on all parts of the
communication path
Intranet
SIP, RTP
SIP, RTP
SIP
Additional infrastructure related measures– Multimedia-capable firewalls, IEEE802.1x, etc. – Preferably in enterprise environments
Voice Server
SIP
Firewall + SBC
Enterprise Domain
Media encryption is becoming available– SRTP and currently MIKEY or sdescription
or ZRTP for key management
Zukunft der Netze 2009, 16, RgCommunication services in future networks – Opportunities and threats
Convergence of networks and services –Convergence of vulnerabilitiesConvergence of vulnerabilities
Yesterday Today Tomorrowy y
Voice networks Risks:Toll fraudMisuse of Service (Dialer)Call back service misuse
D t t k
Multimedia networks
VoIPVoD
T i l Pl UnifiedRisks:Data networks Triple Play Unified Communication
s sEavesdroppingSpoofingMasqueradingTraffic AnalysisDenial of Service
Combined Risks:SPIT, SPIM Identity TheftDenial of Service
Applications
Denial of Service
Risks:Denial of Service
M i l ti
Denial of Service…
VoIP - Voice over IP / VoD - Video on Demand / Triple Play - TV (IP-)Telephony and Internet Access via one media /
ManipulationVirus, Worms, etc.SPAMMisuse of Application Data
Zukunft der Netze 2009, 17, RgCommunication services in future networks – Opportunities and threats
VoIP Voice over IP / VoD Video on Demand / Triple Play TV, (IP )Telephony and Internet Access via one media / SPIT - Spam over Internet Telephony / VOMIT - Voice over misconfigured Internet telephones
Which services are at risk?Always the popular onesAlways the popular ones
Open
SIP V IP
Service
SIP VoIP
Service concept IM
XMPP
S i l
Cl d ISDNSkypeIMMSN ICQ
Socialnetworks
Number of reachable users HighLow
Closed ISDNSkypeMSN, ICQ
Zukunft der Netze 2009, 18, RgCommunication services in future networks – Opportunities and threats
We need a more comprehensive approach –Generic solutions instead of protocol extensionsGeneric solutions instead of protocol extensions
SWIFT P j t A C L Id tit M t C t
Use identities across layers– Same identity for network and
TV service
SWIFT Project: A Cross-Layer Identity Management Concept
Same identity for network and application services
– Extend secure network authentication (SIM card, …) towards servicesAll Si l Si O
eMail service
eBank service Application layer services
VIDSWIFT Project Facts
FP7 j t– Allows Single Sign-On– Improved usability– Improved security
I t d i t l id tit tNetwork access service
VPN service
Network layer services
• FP7 project• 9 partners (NEC, Universität Stuttgart, …)• 01/2008-06/2010• www.ist-swift.org Introduce virtual identity concept
– User has several identities– User can integrate existing accounts
User controlled attribute release
g
Identinet is the Future Internet
– User-controlled attribute release– Improved privacy
Incorporation into existing architectures (Shibboleth Diameter SAML )
Zukunft der Netze 2009, 19, RgCommunication services in future networks – Opportunities and threats
– (Shibboleth, Diameter, SAML, …)
The Future Internet –A second chance?A second chance?
Service components instead of protocols– Flexible service orchestration
Novel addressing concepts Novel addressing concepts– Location/identifier split– Simplifies mobility and security
Network virtualization– More flexibility– New options for security– New options for security
Security as basic design goal– Comprehensive effort is needed– Historic mistakes have to be avoided
Zukunft der Netze 2009, 20, RgCommunication services in future networks – Opportunities and threats