Secure Telephony Enabled Secure Telephony Enabled Middle-box (STEM)Middle-box (STEM)

Maggie NguyenMaggie Nguyen

Dr. Mark StampDr. Mark StampSJSU - CS 265SJSU - CS 265

Spring 2003Spring 2003

STEM is proposed as a solution to network vulnerabilities,

targeting the transmitting of real-time data over enterprise networks.

TopicsTopics

IP Telephony Overview IP Telephony Components IP Telephony Protocols How SIP Works

STEM Architecture Architecture Components Call Scenarios

STEM Security Countermeasures DoS Attack Eavesdropping

IP Telephony ComponentsIP Telephony Components1. Gateways2. Gatekeepers3. IP Telephones4. PC-based Software

Phones5. MCUs

IP Telephony ProtocolsIP Telephony Protocols

Internet Engineering Task Force (IETF): Signaling: Session Initiation Protocol (SIP) Transport: Real Time Protocol (RTP) Media Description: Session Description Protocol (SDP)

International Telecommunications Union (ITU): Signaling: H.323 Codecs: G.711 (PCM), G.729, … ISDN: Q.931

STEM architecture is currently using the network required for SIP STEM architecture is currently using the network required for SIP deployment.deployment.

How SIP WorksHow SIP Works – SIP Call Setup– SIP Call Setup

SIP IP Phone

sip:alice@alanta.com

SIP IP Phone

sip:bob@cs.sjsu.edu

Location Service

SIP Proxy

SIP Proxy

DNS Server

Media Transport

1

2

3

4

5

6

A request is sent (SIP INVITE) to ESTABLISH a

session

DNS Query for the IP Address of the SIP Proxy of the Destination

Domain The INVITE is forwarded

The Location Service is being queries to check that

the destination SIP URI represents a valid registered device, and requests for its

IP Address

The request is forwarded to the End-Device

Destination device returns its IP Address to the

originating device and a media connection is opened

How SIP WorksHow SIP Works – SIP Call Sequence– SIP Call Sequence

SIP IP Phone

sip:alice@alanta.com

SIP IP Phone

sip:bob@cs.sjsu.edu

DNS Server

SIP Proxy

SIP Proxy

Location Service

SIP IN

VITE

DNS Query for the IP Address of the SIP Proxy of the Destination

Domain

FW: SIP INVITE

100 Try

ing

100 Trying

The Location Service is being queries to check that

the destination SIP URI represents a valid registered device, and requests for its

IP Address

FW: SIP INVITE

180 Ringing

180 Ringing

180

Ringin

g

200 OK

200 OK

200 OK

ACK

ACKACK

Both Way RTP Media

BYE

200 OK

STEM Architecture ComponentsSTEM Architecture Components

Security Manager (SM) Enhanced Firewall Media / Signaling Gateway (M/S Gateway) User Terminals

STEM Enhanced FirewallSTEM Enhanced Firewall

Pattern Matcher Protocol Parser Flow Monitor Application Gateway External Interface

Call ScenariosCall Scenarios –– Net-to-NetNet-to-Net

Call ScenariosCall Scenarios –– Net-to-PhoneNet-to-Phone

STEM Security CountermeasuresSTEM Security Countermeasures

Denial of Service TCP SYN Floods detected by Flow Monitor. SIP INVITE Floods detected by Protocol Parser. Malicious RTP Streams detected by Flow Monitor. M/S Gateway Voice Port saturation.

Eavesdropping Control Flow: STEM uses secured communication

protocols among SM, firewall, M/S gateways. Data Flow: STEM replies on application protocols

(SIP or H.323) to implement payload encryption.

ReferencesReferences

International Engineering Consortium. H.323.http://www.iec.org/online/tutorials/h323/

Reynolds, B. Challenges Challenges and Rewards in Enterprise Deployments of IP Telephony Presentation. http://networks.cs.ucdavis.edu/~ghosal/Research/Talks/IP-Tel-Netlab%20talK%20-%20rev%202.ppt

Reynolds, B. Deploying IP Telephony in an Enterprise and the Vulnerabilities that Come With It Presentation. http://seclab.cs.ucdavis.edu/secsem2/ReynoldsSeminar.ppt

Reynolds, B. and D. Ghosal. STEM: Secure Telephony Enabled Middlebox. IEEE Communications Magazine Special Issue on Security in Telecommunication Networks. October 2002http://www.off-pisteconsulting.com/research/pubs/ieee_comm.pdf