Post on 28-Jan-2016
Hack.L
U 2
00
6
In SPace Nobody Can Hear You
Scream
Nicolas FISCHBACHSenior Manager, Network Engineering Security, COLT Telecomnico@securite.org - http://www.securite.org/nico/ v1
Hack.L
U 2
00
6
2
Internet-wide Security Issues
● What kept us up at night :)
● SNMP
● SQL Slammer (and friends)
● Cisco wedge bug
● BGP TCP window [not really actually]
● Botnets and DDoS
Hack.L
U 2
00
6
3
Internet-wide Security Issues
● What have we done about it ? A lot. Too much maybe ?
● Route/prefix filtering
● DDoS detection: Netflow
● DDoS mitigation: BGP (+ MPLS (+ Cleaning))
● xACLs and MPLS Core hiding
● QoS and Control Plane Policing (CoPP)
● BGP TTL trick (GTSM) and BGP TCP md5
● Unicast RPF (uRPF)
● Router security 101
Hack.L
U 2
00
6
4
Carrier Backone
cr
cr
tr
ccr
ccr
cr
ar
ar
ar cpe
cpe
cpe
cpe
cpe
cr
cr
cpe
Edge
Core
Access
Customer (access)
Customer (transit)
Router “types”
ISPy
ISPa
ISPb
tr
ISPmISPk
ppr
ISPm
ISPy
ISPj
ixpr
Transit
Peering (IX or private)
Access (/30)
Link “types”
Hack.L
U 2
00
6
5
Carrier Backbone Security
Edge
Core
Access
Customer
receive ACLs [rACL] / CoPP
infrastructure ACLs [iACL]
transit ACLs edge [tACLe]
transit ACLs access [tACLa]
Router “types”
BGP (md5 / TTL)
QoSuRPF
Hack.L
U 2
00
6
6
Carrier Backbone DDoS Detection
● Netflow (src/dst IP/port, protocol, ToS, interface - no payload, BPS/PPS/Time)
Edge
Access
Router “types”
NOC
tr
ccr
ccr
ar
ar
artr
ppr
ixpr
(Sampled) Netflow
Aggregated Netflow
Flows
(SNMP) Alerts
colle
ctor
colle
ctor
contr
olle
r
Hack.L
U 2
00
6
7
DDoS Attack Mitigation
internet Server
ircd/p2p
pee
rin
g e
dg
e
Deep Packet Inspection
Sampled Netflow
accesslayer
core
Network Level Mitigation
Data Center Level Mitigation
Hack.L
U 2
00
6
8
Carrier Backbone DDoS Mitigation
Edge
Access
Router “types”
“Attack” traffic
“Good” traffic
Flows
“Bad” traffic
cr
cr
tr
ccr
ccr
cr
ar
cr
cr
tr
ppr
ixpr
ar
insp
ect
ion
VoIP
Core
Hack.L
U 2
00
6
9
Internet-wide Security Issues
● What has really changed ?
● Route filtering : quite relax still
● DDoS detection, but weak mitigation : DDoS == background noise
● QoS : not for security, but for NGN
● CoPP : not widely deployed
● uRPF : not widely deployed
● BGP : md5 common (but useful ?), TTL-trick (the exception)
Hack.L
U 2
00
6
10
Internet-wide Security Issues
● Have we learned the lesson ?
● IPv6
● Lots of security features in software (not in hardware)
● Will we ever see SoBGP / Secure BGP ? Do we need it ?
● Going up the stack, no mitigation at network level anymore (everything on top of 80/tcp, DNS attacks, etc)
Hack.L
U 2
00
6
11
Security Features
● What's the driver ?
● How to get those features across product ranges and vendors
● Shift of features towards edge, access, last/first mile
● But these features are not (often) security features
● Devices that never “saw” the “bad” Internet
● Features vs power vs cooling
● Hardware limitations (FPGA, ASIC, NP)
Hack.L
U 2
00
6
12
Security – which future ?
● No “big” “nation-wide” “critical infrastructure” issue recently
● IP/Data network infrastructure has become a commodity (until it's down)
● No focus on infrastructure security anymore (but the wake up call will be “funny”)
● So where do people put security research and resources into ?
Hack.L
U 2
00
6
13
NGN(Next Generation Networks)
Hack.L
U 2
00
6
14
NGNs
● Next Generation Networks
● VoIP and IMS
● Ethernet/DSL services
● Converged Networks
● Moving up and down the stack at the same time
Hack.L
U 2
00
6
Internet
15
PBX Trunking over IP
FW
PRI (ISDN over E1)TDMPSTN
VoiceSwitch
TDMPSTN
VoiceSwitch H.323(/MGCP)/RTP
No NAT
Softswitch
MGW CPE
PBX
H.323(/MGCP)
MGCP
RTP
PBX
POTS
VoIP/ToIP
No NAT
T.38 (FAX)
64kUR (PBX Mgmt)
DTMF
Hack.L
U 2
00
6
TDMPSTN
Internet
16
Wholesale Voice over IP
PRI (ISDN over multiple E1s or STM-1s)TDM
PSTNVoiceSwitch
TDMPSTN
VoiceSwitch SIP/RTP
Softswitch
MGW
SIP
MGCP
RTP
POTS
VoIP/ToIP
VoiceSwitch
MGWH.323/RTP
OtherCarrierVoIPCore
SBC
Hack.L
U 2
00
6
17
Security challenges
● VoIP protocols
– No, VoIP isn't just SIP– SIP is a driver for IMS services and cheap CPEs– H.323 and MGCP (still) rock the carrier world
● Security issues
– VoIP dialects– Only a couple of OEM VoIP stacks (think x-vendor
vulnerabilities)– FWs / SBCs: do they solve issues or introduce
complexity ?– Are we creating backdoors into customer networks ?– CPS and QoS
Hack.L
U 2
00
6
18
Session Border Controller
● What the role of an SBC ?– Security– Hosted NAT traversal (correct signalling / IP header)– Signalling conversion– Media Conversion– Stateful RTP pin-holing based on signalling
● Can be located at different interfaces: Customer/Provider, inside customer LAN, Provider/Provider (VoIP peering)
● What can be done on a FW with ALGs ?
Hack.L
U 2
00
6
19
IMS services
● IMS = IP Multimedia Subsystem
● Remember when the mobile operators built their WAP and 3G networks ?
– Mostly “open” (aka terminal is trusted)– Even connected with their “internal”/IT network
● IMS services with MVNOs, 3G/4G: overly complex architecture with tons of interfaces
● Large attack surface: registration/tracking servers, application servers, etc
● Firewalling: complex if not impossible
Hack.L
U 2
00
6
20
IMS Future Threats
● FMC: Attack Fixed<->Mobile handover (GSM<->WiFi)
● “Vishing” (VoIP Phishing): risks associated with IVR
● Abusing IN systems
Hack.L
U 2
00
6
21
MSP and IP DSLAM
● Multi-Service Platform aka Carrier Ethernet
● IP/Ethernet DSLAMs
● Remember all the “LAN only” layer 2 attacks ?
● dsniff is not dead ;-)
● VLANs, TCAM, etc.
● Basic IP features DSLAMs
Hack.L
U 2
00
6
22
Conclusion
● Last 5 years : infrastructure security
● Next 5 years : NGN security
● In a couple of years : learn the hard way that NGN needs stable and secure underlying infrastructure