Selected Topics in Information Security

Selected Topics in Selected Topics in InformationInformation

SecuritySecurity

Bazara I. A. BarryDepartment of Computer Science

University of Khartoum

www.itrc.sd/staff/bazara.html

[email protected]

mailto:[email protected]

Course description

With the emerging network models that resulted from the convergence of voice and data networks, new security architectures and solutions are very likely to dominate. This course focuses on converged networks and applications and the security implications associated with them. It sheds light on some advanced security topics such as the conceptual and practical changes needed to provide secure network-based services in a converged environment.

Research Methods – Bazara Barry

Course objectives

This course aims at acquainting students with the latest research trends in the new field of convergence. Moreover, students are expected to become more familiar with the new security architectures suitable for converged environment. Surveying and presenting skills in a wide range of security related issues are expected to be strengthened by the end of the course.

Selected Topics in Information Security – Bazara Barry

Course contents• Security in PSTNs, security in data networks, convergence in networks

and applications, VoIP, associated architectural changes and new models, advantages of convergence, analysis for new threat model and security implications.

• Taxonomy of traffic types and encryption algorithms, impact of different encryption algorithms on various performance metrics such as delay and packet loss, IETF encryption solutions for VoIP.

• Virtual Private Networks in converged environments, various encryption techniques, Multiprotocol Label Switching (MPLS), segregation of network traffic.

• Intrusion detection and prevention techniques, cross-layer and cross-protocol intrusion detection, stateful intrusion detection, hybrid intrusion detection.

• Firewalls, shallow packet inspection, medium depth packet inspection, deep packet inspection, VoIP-aware firewalls, bypassing firewalls and NAT.

• The IP Multimedia Subsystem (IMS), IMS architecture, IMS security architecture, IMS security issues.

• The transition from IPv4 to IPv6. IPv6 security issues, reconnaissance attacks, host initialization and associated attacks, attacks using routing headers.


Course Materials

Various sources such as Internet standards and research papers are to be consulted during this course.

Course assessment

• Written assignments 15%• Presentations 25%• Final exam 60%


1

Introduction on Security and Convergence


Convergence

Convergence in networks refers to the structures and processes that result from design and implementation of a common networking infrastructure that accommodates data, voice, and multimedia communications [1].

Convergence in applications refers to the building of applications that span over different protocols/specifications [2].

Convergence enables carrying voice, video, and other data on the same packet-switched infrastructure, and provides various services related to these kinds of data in a unified way.


PSTN

In most of the world, connectivity to the Public Switched Telephone Network (PSTN) and its numbering system E.164 is considered as essential as electricity or running water.

Even the Internet itself depends on the PSTN to deliver dedicated access circuits as well as dial-up.


PSTN: Central Office Connections


PSTN: Signal Transmission - FDM

Frequency Division Multiplexing (FDM) techniques were developed in the late 1930s and allowed many calls to pass over a single voice circuit by using frequency shifting techniques equivalent to those used by FM radio.

Each 4 kHz band of voice conversation would be shifted up or down to a specific slot, allowing many calls to be carried simultaneously over a single coaxial cable or radio interface.


PSTN: Signal Transmission - TDM

Frequency Division Multiplexing (FDM) was replaced with the more efficient and secure Time Division Multiplexing (TDM).TDM is used in various implementations throughout the communications industry.


ITU-T Signaling System Number 7 (SS7)

SS7 is an ITU-T standard that defines how equipment in the PSTN digitally exchange data regarding call setup and routing.

SS7 uses Common Channel Signaling (CCS), not Channel Associated Signaling (CAS) like its predecessors.


ITU-T Signaling System Number 7 (SS7)


PSTN Protocol Security

ITU-T signaling protocols prior to SS7 were exploited by serious attacks (Blueboxing and the Original Phone Phreaks).

Despite this fact, they continue to be deployed around the world along with older switching equipment that is vulnerable to toll fraud, eavesdropping, and other risks.


SS7 Security

It is much harder for a subscriber to inject signaling into an SS7 network. However, that is not to suggest that SS7 is particularly secure.

Despite this fact, they continue to be deployed around the world along with older switching equipment that is vulnerable to toll fraud, eavesdropping, and other risks.

The primary threat for SS7 networks are the peering arrangements for injection of false and/or fraudulent signaling and other messaging information.


SS7 Security

Risks and countermeasures of using SS7 are summarized by the 3GPP SA WG3 Technical Specification Group in January 2000 for 3G TR 33.900 V1.2.0:

•authentication and supplementary services such as call forwarding are open to major compromise.

•In the past, SS7 traffic was passed between major PTOs covered under treaty organization and the number of operators was relatively small and the risk of compromise was low.

•There is also exponential growth in the use of interconnection between the telecommunication networks and the Internet


Security Problems in the TCP/IP Protocol Suite

The TCP/IP protocol suite which is very widely used today, was developed under the sponsorship of the Department of Defense.

Despite that, there are a number of serious security flaws inherent in the protocols. Some of these flaws exist because hosts rely on IP source address for authentication.

Others exist because network control mechanisms, and in particular routing protocols, have minimal or nonexistent authentication.



In some systems, TCP sequence numbers are predictable which allows attackers to spoof trusted hosts on a local network.

the initial sequence number variable is incremented by a constant amount once per second, and by half that amount each time a connection is initiated.

Thus, if one initiates a legitimate connection and observes the initial sequence numbers used, one can calculate, with a high degree of confidence, initial sequence numbers used on the next connection attempt.


Security Problems in the TCP/IP Protocol SuiteSource Routing: assume that the target host uses the reverse of the source route provided in a TCP open request for return traffic. The attacker can then pick a trusted IP source address. Any facilities available to such machine become available to the attacker.

Routing Information Protocol (RIP): allows an intruder to send bogus routing information to a target host, and to each of the gateways along the way, to impersonate a particular host.

Internet Control Message Protocol (ICMP): may be used for targeted denial of service attacks. Several of its messages, such as Destination Unreachable and Time to Live Exceeded, may be used to reset existing connections.



The “Finger” Service: This service displays useful information about users, such as their full names, phone numbers, office numbers, etc. Such information can be used by attackers to launch various attacks.

The Domain Name System (DNS): provides for a distributed database mapping host names to IP addresses. An intruder who interferes with the proper operation of the DNS can mount a variety of attacks, including denial of service and password collection [3].


VoIP

Voice over Internet Protocol (VoIP) stands out as the standard that benefits from convergence by carrying voice calls over the packet-switched infrastructure of the Internet.

VoIP, from a management and maintenance point of view, is less expensive than two separate telecommunications infrastructures. Implementation can be expensive, but is repaid in the form of lower operating costs and easier administration.


VoIP Architecture

Components in VoIP infrastructure can be generally classified into servers, endpoints, and routing nodes.

VoIP servers are the components responsible for various duties aiming at maintaining the service and enhancing it (address resolution, registration,…).

Endpoints are the devices capable of initiating and terminating a call (IP softphones, PCs,…).

Routing nodes in VoIP environments have the capacity to connect IP networks to either other IP networks or circuit-switched networks.


VoIP Architecture


IP Network Domain 1IP Network Domain 2PSTN

Routing Node Routing NodeServer Server

Endpoint Endpoint PSTN Phone

VoIP Protocols

There are two competing breeds of VoIP signaling protocols, H.323 from the ITU and SIP from the IETF.

H.323 was originally designed based on ITU-T Signaling System Number 7 (SS7).

SIP is much simpler than H.323, but with less internetworking capabilities with PSTN systems.

SIP uses other protocols to perform various functions during a session such as Session Description Protocol (SDP) to describe the characteristics of end devices, Resource Reservation Setup Protocol (RSVP) for voice quality, and Real-time Transport Protocol (RTP) for real-time transmission.


VoIP Security Issues

VoIP environments inherit all the security weaknesses of Internet Protocol (IP).

VoIP standards separate signaling and media on different channels. These channels run over dynamic IP address/port combinations and are controlled by different protocols each with its own security issues.

More processing capabilities and intelligence are shifted to the edge of the network. The number of systems to be protected has increased significantly. This model is a reversal of the traditional security model, where critical data are centralized, bounded, and protected.

VoIP’s sensitivity to adverse network conditions.Selected Topics in Information Security – Bazara Barry

VoIP Threats•Data and Service Disruption: VoIP Control Packet Flood, TCP/UDP/ICMP Packet Flood, VoIP Packet Replay.

•Data and Service Theft: VoIP Social Engineering, VoIP Call Hijacking, VoIP Call Eavesdropping, VoIP Voicemail Hacks.

The most comprehensive list of VoIP threats is maintained by VOIPSA at www.voipsa.com/Activities/taxonomy.php.


http://www.voipsa.com/Activities/taxonomy.php

VoIP Security Model


General constraints and objectives in securing VoIP


Minimize the additional cost of the secured solution by identifying the optimum security solution that will avoid prohibitive cost.

Deploy a secured solution that is generic enough to be applied to most of the NGN applications and service.

Ensure that the security solutions have been implemented and can be deployed and operated in a coordinated way so as to avoid inter-operability problems that would create security gaps.

Ensure that voice and multimedia traffic QoS constraints are taken into account.

Steps Towards Securing VoIP


1. Virtual Private Network (VPN) based solutions to enable a strict end-to-end separation of the data and the voice to be guaranteed.

2. Adopt a secured design that takes security into account while defining the network architecture, and position the security measures across the network in a way that relates to the threats they are countering.

3. Deploy security measures at the borders of the operator domains or security zones. Such security measures apply to media/transport, control, service/application, and management planes separately (front-end security).

Steps Towards Securing VoIP


4. Integrated IDS/IPS that goes beyond its initial role and often includes protection against intrusions, denial of service attacks, viruses, Trojans, worms, and other known exploits.

4. Upgrade the firewall/NAT infrastructure to an Application Layer Gateway (ALG) type of infrastructure, which is VoIP application aware.

5. …


References1. T. Porter, Practical VoIP Security. Rockland, MA: Syngress, 2006, Ch 1, 4.2. N. Khan, “The SIP Servlet Programming Model,” Technology White Paper

(Oct. 2007). Available http://dev2dev.bea.com. 3. Steve M. Bellovin “A Look Back at “Security Problems in the TCP/IP Protocol

Suite”,” Proceedings of 20th Annual Computer Security Applications Conference (ACSAC), December 2004.

http://dev2dev.bea.com/

Selected Topics in Information Security

Documents

Transcript of Selected Topics in Information Security