Meletis Belsis - IMS Security
-
Upload
meletis-belsis-mphilmresbsc -
Category
Internet
-
view
106 -
download
6
Transcript of Meletis Belsis - IMS Security
Meletis BelsisInformation Security Consultant
MPhil / MRes/ BSc, C|EH / CCSA / CWSP
IMS Security IMS Security
IMS ArchitectureIMS ArchitectureIMS ComplexityIMS ComplexityIMS ThreatsIMS ThreatsVoIP AttacksVoIP AttacksThe Hacker’s ToolboxThe Hacker’s ToolboxIMS SecurityIMS Security
PresentationPresentationAgendaAgenda
IMS ArchitectureIMS Architecture
• IP Multimedia Subsystem (IMS)IP Multimedia Subsystem (IMS) was initiated by the 3GPP Group to allow Mobile Service Providers extend their services using the TCP/IP protocolTCP/IP protocol.
• IMS was build around TCP/IP ver 6TCP/IP ver 6. Due to the fact that currently most providers use the TCP/IP ver. 4 TCP/IP ver. 4 the initial security features proposed cannot be implemented
• The System was further enhanced by the TISPAN group with the idea of the Next Generation Network (NGN) Next Generation Network (NGN) which extend the IMS to allow access through ADSL and Land Lines.
• Mobile Operators will use the IMS to offer multimedia services including VoIPVoIP and VoDVoD.
IMS Architecture IMS Architecture
•IMS architectures use the SIP SIP protocol protocol to exchange signaling messages and the RTP protocol RTP protocol to exchange customer traffic. •The IMS Core is build around a Call Session Control Function Call Session Control Function (CSCF) (CSCF) which manages the user access and allows the distribution of Content Services. •To perform the user management the Home Home Subscriber Server (HSS) Subscriber Server (HSS) is used. HSS is similar to the HLR in 3G Networks. •The DiameterDiameter protocol is used for AAA.
IMS Security ComplexityIMS Security Complexity
•Securing a IMS network is complex because:• IMS inherits most TCP/IP Vulnerabilitiesinherits most TCP/IP Vulnerabilities• IMS users connect through a number of different access media
(e.g. UMTS, ADSL, PSTN ).• IMS uses the SIP and RTP (UDP communication) uses the SIP and RTP (UDP communication) and thus may not be
able to operate on networks that use firewalls. Special proxy techniques like Simple Traversal of UDP through NATs (STUN) Simple Traversal of UDP through NATs (STUN) need to be applied.• Signaling (SIP) Signaling (SIP) and Media (RTP) Media (RTP) traffic may follow different routes.
IMS ThreatsIMS Threats
• Denial Of ServiceDenial Of Service• Flood Attacks • BYE Tear Down• Registration Reject• Hold Attack• Call Reject
• Interception AttacksInterception Attacks• Call Hijacking• Registration Hijacking• Media Session Hijacking• Server Masquerading• DNS Poisoning• Caller ID Spoofing• VoIP VLAN Hopping• ARP Spoofing• SIP Injection• Session Modification
• Social Attacks Social Attacks • SPIT
• Fraud AttacksFraud Attacks
VoIP ThreatsVoIP Threats
• VoIP Platforms VulnerabilitiesVoIP Platforms Vulnerabilities• CAN-2004-0056: Malformed H.323 packet to exploit Nortel
BCM vulnerabilities• CAN-2004-0054: Exploits CISCO IOS H.323 implementation• CVE-2007-4459: Cisco SIP DoS vulnerabilities.• CVE-2007-6424: Vulnerabilities on the Fonality Trixbox 2.0 PBX
products• CVE-2007-5361: Vulnerabilities on the Alcatel- Lucent
OmniPCX Enterprise Communication Server.• CVE-2007-5556: Vulnerabilities on the Avaya VoIP Handset.
UE’s initial Register Request looks like:REGISTER SIP: home1.de SIP/2.0Username=”user Authorization: Digest Username [email protected]”,realm=”home1.de”, nonce=” “, uri=”SIP: home1.de”, response=” “
Malicious Code infected with SQL injection looks like:REGISTER SIP: home1.de SIP/2.0Authorization: Digest Username=”[email protected];delete tablesubscriber”, realm=”home1.de”, nonce=” “, uri=”SIP: home1.de”, response=” “
SIP InjectionSIP Injection
Hacker’s ToolboxHacker’s Toolbox
• Oreka Oreka : A cross-platform system for recording and retrieving audio streams • rtpBreakrtpBreak: detects, reconstructs and analyzes any RTP session through heuristics
over the UDP network traffic. • SIPCrack SIPCrack : a SIP protocol login cracker • SiVusSiVus : A SIP Vulnerability Scanner.• BYE Teardown: BYE Teardown: disconnect an active VoIP conversation by spoofing the SIP BYE
message from the receiving party • SipRogue :SipRogue :multifunctional SIP proxy that can be inserted between two talking
parties • RTPInject RTPInject :attack tool that injects arbitrary audio into established RTP
connections. • TFTP Cracker: TFTP Cracker: A tool to attack VoIP endpoint and copy their configuration
through tftp• ILTY(I am Listening to You) ILTY(I am Listening to You) : A multi-channel VoIP Sniffer • Registration Adder: Registration Adder: A tool to allow fake registrations to be send
IMS CountermeasuresIMS Countermeasures
• EncryptionEncryption: The original standard proposed the use of IPSecIPSec protocol on a hop-by-hop deployment. The TLSTLS protocol can also be used to encrypt the SIP messages exchanged between the nodes.
• FirewallsFirewalls:: Ensure that VoIP components (i.e. SIP Proxy, DNS, DHCP, Radius) are logically located behind Session Session Border Controllers (SBC). Border Controllers (SBC). SBCs provide Firewalling capabilities while bypassing NAT Problems. Traditional firewalls can used to build DMZ zones for IP based systems (i.e. DNS, Radius).
IMS CountermeasuresIMS Countermeasures
• ManagementManagement:: Avoid using weak management protocols like tftp, telnet and SNMP ver 2.
• Security Gateways (SEGs) Security Gateways (SEGs) SEG must be deployed at the edge of an IMS. These will create a Network Network
Security Domain (NDS) Security Domain (NDS) which will protect the IMS core from other IMS networks.
• AntivirusAntivirus: Deploy hardware antivirus appliances at the customer edge.
IMS CountermeasuresIMS Countermeasures
• Hardening the network Environment• Enforce Security at the Network Equipment:Network Equipment:
• Port Security• DHCP Snooping• Receive Access Lists• Enable MAC Filtering • Define the maximum number of MAC addresses per port.• Use Egress and Ingress filtering on all Border Routers• Apply DoS protection techniques at the edge (e.g. Black Holing)• Use Dedicated Management VLANs on the IMS Core• BGP and Routing Security
• Use AAAAAA on all IMS infrastructure Systems
• Harden the OS Harden the OS of the platforms used• DNZ Zone Transfers• IP to MAC mappings on DHCP• Apply Security Patches / Updates• Disable Telnet and/or r-utilities
IMS CountermeasuresIMS Countermeasures
• IDS/IPSIDS/IPS• SIP aware IDS / IPS• Host based IDS/IPS at the Application
Servers
• VoIP HoneypotsVoIP Honeypots• VoIP Phones• Fake SIP Proxies