Die Zukunft der Kommunikationsdienste im Internet ... · Die Zukunft der Kommunikationsdienste im...

Die Zukunft der Die Zukunft der Kommunikationsdienste

im Internet –Möglichkeiten und Risiken

E i P R th b

Möglichkeiten und RisikenErwin P. RathgebTechnik der Rechnernetze, Universität Duisburg-Essen

Jochen Kögel Marc BarischJochen Kögel, Marc BarischIKR, Universität Stuttgart

Steffen FriesSteffen FriesSiemens AG, Corporate Technology

OverviewOverview

New service opportunities lead to new security threats– Telephony as an example

A more general view A more general view– What makes services vulnerable?– What has to be done?

Generic solutions instead of protocol extensions– Example identity management

Do we get a second chance? Do we get a second chance?– The Future Internet

Zukunft der Netze 2009, 2, RgCommunication services in future networks – Opportunities and threats

Unfortunately there are many services/applications –How to secure all of them?How to secure all of them?


http://de.wikipedia.org/wiki/Bild:WorldWideWebAroundWikipedia.png

Service example: Telephony –PastPast


Service example: Telephony –Past presentPast, present


Service example: Telephony –Past present and futurePast, present and future

VoIP using SIPGlobal calls,

no addition fees(Internet flat rate)

Bulk calls for free SPIT

With SIP Infrastructure Without SIP InfrastrWith SIP Infrastructure(e.g. Asterisk, IMS)

Without SIP Infrastr.(P2P)

SIP RegistrarHelps to locate the called

Caller has to know/find

Global accessto home account

- Helps to locate the calledSIP client in the Internet

- Provides access for toll calls- Provides account for billing

current location and IDof called SIP clientUnauthorized access

Toll Fraud


g

SIP security threats –Registration hijacking and toll fraudRegistration hijacking and toll fraud

sip:201@private_server.deOutgoing toll call

Outgoing toll call

private_server.deInternet

provider_server.de

Register as201@private_

server.de

Register as456@provider_

server.de

Register as456@provider_

server.de

sip:456@provider_server.de


p @p _

Experimental system to study SIP threats –SIP Honeypot systemSIP Honeypot system

Attacks

? HoneyWall?ExtendedAsterisk

V IP

Analysis

VoIP server

AnalysisManagement


SIP Honeypot System –Evaluation studyEvaluation study

Short field test– Duration about 2 months

VoIP Honeypot VoIP Honeypot– Accepting and logging incoming calls from the internet– Handling and logging Register attempts– Honeypot was found and attacked

• No further publishing activity required Publication of one specific SIP URI on web site Publication of one specific SIP URI on web site

– SIP URI was found and attacked


SIP Honeypot System –ResultsResults

3

3,5

1 5

2

2,5

0,5

1

1,5

0

0.07

.200

8

7.07

.200

8

3.08

.200

8

0.08

.200

8

7.08

.200

8

4.08

.200

8

1.08

.200

8

7.09

.200

8

4.09

.200

8

20 27 03 10 17 24 31 07 14

Number of registration hijacking attempts per day


SIP Honeypot System –ResultsResults

Scan for active extensions– Duration 2 to maximum 30 seconds– Different scan patternsDifferent scan patterns

• Scan all extensions from 101 to 900• Scan specific intervals

S f t (i f i fi t )• Scan for common account names (info, service,…, first names)– Result: list of active extensions

Password scan Password scan– Only performed in some cases– Between 5 and 90 attempts per active extension

Diff t tt– Different scan patterns• Numbers (e.g. extension number)• Dictionary attacks


y

SIP Honeypot System –Specific attack tools already availableSpecific attack tools already available

Port ScanFabricate andFabricate and

manipulate SIP packets

svmapScan for SIP servers

Fingerprintingg p g

svwarScan for active

extensionsextensions

svcrackPassword scan


Password scan

State of the internet security reloaded –Malware SPAM and PhishingMalware, SPAM and Phishing

350

400 Identifiedattacks

Suspiciousactivities

120

140

200

250

300

350

Alarms

attacks

60

80

100

er o

f mai

ls

50

100

150

200Warnings

0

20

40

60

num

b

0

50

9-Feb

12-Feb

15-Feb

18-Feb

21-Feb

24-Feb5-M

ar9-M

ar14

-Mar

17-M

ar25

-Mar

28-M

ar31

-Mar

4-Apr

7-Apr

10-A

pr

0

01.0

1.06

31.0

1.06

15.0

2.06

02.0

3.06

17.0

3.06

01.0

4.06

16.0

4.06

01.0

5.06

16.0

5.06

31.0

5.06

15.0

6.06

30.0

6.06

19.0

7.06

08.0

8.06

23.0

8.06

07.0

9.06

22.0

9.06

07.1

0.06

22.1

0.06

06.1

1.06

21.1

1.06

06.1

2.06

21.1

2.06

05.0

1.07

Each computer attached to the internet– Is discovered immediately– Is permanently under attack

Most attacks are fully automated

SPAM and Phishing are omnipresent– Difficult to protect mail addresses– SPAM doesn‘t stop once it began

Used mainly for fraud and phishing


– Most attacks are fully automated – Used mainly for fraud and phishing

Existing and new threats –Very similar patternsVery similar patterns

Basically the same situation as for malware and SPAM– Malicious activity already present– Low cost, bulk delivery, ubiquitous connectivity, full automationLow cost, bulk delivery, ubiquitous connectivity, full automation

• Attractive basis for fraud and phishing– Low risk for the attacker

All i f ti l t f b kt ki b f d• All information relevant for backtracking can be forged• Compromised hosts can be used

– Open source tool boxes readily available on the internetp y Escalation of the problems can be expected

– Increasing penetration of SIP telephony attracts attackersP2P d SIP ( ENUM) k SPIT i– P2P mode SIP (e.g. ENUM) make SPIT easier

– Home servers with SIP Registrar functionalitylet vulnerabilities for toll fraud explode


What has been done –SIP Security Landscape

SIP – inherent signaling security measures for

SIP Security Landscape

Extensions/Updates (examples)SIP – inherent signaling security measures for client/server and server/server communication:

- HTTP Digest Authentication (mandatory)

Extensions/Updates (examples)– Enhancements to Authenticated

Identity Management (RFC4474) and Connected Identity in SIP

- TLS to provide cryptographic protection of TCP data (mandatory for server, recommended for clients)

- IPSec to provide cryptographic protection (optional)

and Connected Identity in SIP (RFC4916) for asserting identity of communicating peers

– Certificate Management Service gfor SIP (draft-ietf-sip-certs), for providing credential handling for clientsM i Cli t I iti t d

SIP Proxy A SIP Proxy B

– Managing Client Initiated Connections in SIP (draft-ietf-sip-outbound), and Connection Reuse in SIP (draft-ietf-sip-connect-

End-to-End security for signaling data using S/MIME for authentication integrity protection and confidentiality (opt )

Client BClient A

in SIP (draft ietf sip connectreuse) for re-using TLS connections between peers

– …


authentication, integrity protection and confidentiality (opt.)

What has to be done –Security measures in SIP VoIP deploymentsSecurity measures in SIP VoIP deployments

Home Domain Provider Domain Authentication of users towards SIP servers

Voice Server

SIP, RTP

Authentication of users towards SIP servers – Currently mainly passwords, certificate based

authentication is less deployed Authentication of SIP server towards user

SBCDSL

LAN, ATM, etc.

Authentication of SIP server towards user – Certificate based as part of TLS supported

Confidentiality and integrity protection of signaling information

VPN connection

– Starting via TLS (or IPSec in 3GPP) – Not necessarily on all parts of the

communication path

Intranet

SIP, RTP

SIP, RTP

SIP

Additional infrastructure related measures– Multimedia-capable firewalls, IEEE802.1x, etc. – Preferably in enterprise environments

Voice Server

SIP

Firewall + SBC

Enterprise Domain

Media encryption is becoming available– SRTP and currently MIKEY or sdescription

or ZRTP for key management


Convergence of networks and services –Convergence of vulnerabilitiesConvergence of vulnerabilities

Yesterday Today Tomorrowy y

Voice networks Risks:Toll fraudMisuse of Service (Dialer)Call back service misuse

D t t k

Multimedia networks

VoIPVoD

T i l Pl UnifiedRisks:Data networks Triple Play Unified Communication

s sEavesdroppingSpoofingMasqueradingTraffic AnalysisDenial of Service

Combined Risks:SPIT, SPIM Identity TheftDenial of Service

Applications

Denial of Service

Risks:Denial of Service

M i l ti

Denial of Service…

VoIP - Voice over IP / VoD - Video on Demand / Triple Play - TV (IP-)Telephony and Internet Access via one media /

ManipulationVirus, Worms, etc.SPAMMisuse of Application Data


VoIP Voice over IP / VoD Video on Demand / Triple Play TV, (IP )Telephony and Internet Access via one media / SPIT - Spam over Internet Telephony / VOMIT - Voice over misconfigured Internet telephones

Which services are at risk?Always the popular onesAlways the popular ones

Open

SIP V IP

E-Mail

Service

SIP VoIP

Service concept IM

XMPP

S i l

Cl d ISDNSkypeIMMSN ICQ

Socialnetworks

Number of reachable users HighLow

Closed ISDNSkypeMSN, ICQ


We need a more comprehensive approach –Generic solutions instead of protocol extensionsGeneric solutions instead of protocol extensions

SWIFT P j t A C L Id tit M t C t

Use identities across layers– Same identity for network and

TV service

SWIFT Project: A Cross-Layer Identity Management Concept

Same identity for network and application services

– Extend secure network authentication (SIM card, …) towards servicesAll Si l Si O

eMail service

eBank service Application layer services

VIDSWIFT Project Facts

FP7 j t– Allows Single Sign-On– Improved usability– Improved security

I t d i t l id tit tNetwork access service

VPN service

Network layer services

• FP7 project• 9 partners (NEC, Universität Stuttgart, …)• 01/2008-06/2010• www.ist-swift.org Introduce virtual identity concept

– User has several identities– User can integrate existing accounts

User controlled attribute release

g

Identinet is the Future Internet

– User-controlled attribute release– Improved privacy

Incorporation into existing architectures (Shibboleth Diameter SAML )


– (Shibboleth, Diameter, SAML, …)

The Future Internet –A second chance?A second chance?

Service components instead of protocols– Flexible service orchestration

Novel addressing concepts Novel addressing concepts– Location/identifier split– Simplifies mobility and security

Network virtualization– More flexibility– New options for security– New options for security

Security as basic design goal– Comprehensive effort is needed– Historic mistakes have to be avoided


Die Zukunft der Kommunikationsdienste im Internet ... · Die Zukunft der Kommunikationsdienste im...

Documents

Transcript of Die Zukunft der Kommunikationsdienste im Internet ... · Die Zukunft der Kommunikationsdienste im...