Más contenido relacionado
La actualidad más candente (19)
Similar a Security model-of-sip-d2-05 at kishore (20)
Security model-of-sip-d2-05 at kishore
- 2. Agenda
1. Security is Ever Pervasive
2. SIP is no exception
3. Introducing SIP CIA Model
4. ‘Always ON’
5. Call Flow Scenarios
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 3. Security is Ever Pervasive
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 4. About Alcatel-Lucent Leadership and Expertise in Security
Alcatel-Lucent’s resources are pioneers
in the knowledge that drives security innovations
Patents and standardization: R&D leadership
Hundreds of patents in security, cryptography, biometrics, firewalls,
denial of service and virus detection
ITU Standards Visionary (X.805) then ISO 18028
Major player in ITU-T SG 17 –
Lead Study Group on Communication System Security
CERT-IST operation, FIRST membership since 1999
Bell Labs leadership in:
Creation of new cryptography (SHAZAM for CDMA2000, PAK)
Breaking of old cryptography (PKCS#1, DSA, SOBER, Clipper)
Development of optical-rate encryption ciphers and NSA-certified encryptors
Pioneering work in provable security
Biometrics (voice authentication with secured models)
High-speed encryption hardware (e.g., for SANs)
Integration of 802.11 and 3G AAA
Watermarking
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 5. Alcatel-Lucent Bell Labs Security Framework
The international standard to build secure-by-design communications solutions
Building security into the DNA of complex systems
Layers
Infrastructure Services Applications THREATS
End User MODULE 1 MODULE 4 MODULE 7 Destruction
Corruption
Planes Control /
MODULE 2 MODULE 5 MODULE 8 Removal
Signaling
Disclosure
Management MODULE 3 MODULE 6 MODULE 9 Interruption
ATTACKS
Access Control Non-Repudiation Comms Security Availability (9 modules X 8 cells =
72 security cells)
Data
Authentication Confidentiality Data Integrity Privacy
The Bell Labs Security Framework
ITU/X.805 Security Standard
ISO 18028 Security Standard
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 6. Security trends
Hacker ‘professionalism’ on the rise
Viruses are just one part of a greater danger: cybercrime
Viruses are now used as ‘tools’ to:
Install backdoors Virus
Steal identity data Major Targeted
attacks attacks
Mount major attacks Backdoor
(ex: Bugbear.b, Sobig)
(ex: Autoproxy,
Financial
Sobig) SPAM data
theft
Non-exclusive Major attacksNetwork of 500
Exclusive access for rent 20000 proxy for On-demand
access to a bot to a bot bots (= zombies) spam DDOS attack
0.15 €/bot 0.35 €/bot 380 € 75 €/week 38 to 750 €
(source CLUSIF)
A menacing change
in attacker skill
and motivation “Virus makers are becoming mercenaries.”
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 7. Security –The Jobs to do
Attacks increasing in
sophistication and impact
External and Increasingly
internal threats complex
and vulnerabilities
technology
Outsourcing and Regulatory
Application Requirements
Hosting & Homeland
Security
Operational Need for privacy,
challenges, patch reliability and
management availability
Web-based
commerce
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 8. SIP is no Exception
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 9. Tackling SIP Security -General SIP servers
Execution phases for all incoming SIP messages:
Reception
Parsing computationally intensive for SIP!
Processing Depend on type of
message and SIP element
Marshalling & transmission
General multi-threaded
SIP server
Parsing Processing
Network socket buffer Network socket buffer
Parsing Processing
thread Parsing Processing
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 10. Tackling Prioritizing SIP servers
Modifications:
Prioritization mechanism
Message priority queue
On-demand parsing during prioritization and processing
Prioritizing SIP server Remainder
parsing &
processing
Pre-parsing &
prioritization
Network socket buffer Message priority queue Network socket buffer
Remainder
parsing &
processing
Pre-parsing &
prioritization
Remainder
parsing &
processing
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 11. Tackling SIP Security-Message processing stages
Parse only what is
strictly necessary in
Measured sojourn time
combination with an (excluding network buffer)
efficient header field
recognition algorithm
General SIP server Parsing Processing
SIP server with on-demand parsing Parsing on-demand during processing
Prioritizing SIP server with efficient parsing Queuing Parsing on-demand during processing
Parsing on-demand during
prioritization
Prioritization policies based on message
characteristics, system state, and statistics
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 12. Tackling SIP Security-Prioritizing SIP server
SIP messages Service
Provider
SIP devices
Pre-parsing Policy definition
Prioritizing Policy
Drop
Processing
Dynamic adaptation to
real-time conditions
Bell Labs Java
SIP stack
SIP SIP
server1 servern
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 13. All Corners Of Security Challenges
Regulatory requirements
Need to boost Market Pressure of reducing
confidence in security of SIP operational costs &
VoIP, XoIP transactions Competition
Hacking & other attacks
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 14. Introducing SIP CIA Model
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 15. Keys, Values & Codes CIA model for SIP Security
The CIA Triad is a widely used information assurance model. It consists of:
Confidentiality
Integrity
Availability
Confidentiality
Ensuring that information is accessible only by those who are authorized.
Integrity
Ensuring that information is pristine/unaltered/complete.
Availability
Ensuring that the Information is available as per the needs.
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 16. Keys, Values & Codes CIA model for SIP Security
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 17. Session Universe-People, Processes and Enablewhare
People SIP/IMS Technology
• Awareness about • Adaptive Messages for
importance of SIP data gathering & analysis
Security compliance • Platforms, Subsystems
• Convergence mind set • Databases
Te
ple
chn
Peo
olo
gy
SIP AS
Process
Process
• Feedback loops with automated
and interactive web based
solutions to tie people, process
and technologies together
Alcatel-Lucent – Proprietary
- 17 -
All Rights Reserved © Alcatel-Lucent 2007
- 18. CIA model for SIP Security
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 19. The Model is ‘Always ON’
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 20. Two Parts to the Security Strategy
• Part One: Security Inside Value Prop - Enhance the Brand
a. Different from the competition
b. Creates a foundation for “trustworthiness”
Value Prop – Create Revenue
Part Two: Keeping IT Secure
a. Enhances the Trust Model
Protect the network, keep it “trustworthy”
1. End-to-end security approach in NGN
Integrated to lower the opex of security
2. A solution – not more point products
Centralized
3. Centralize management for response
Security
Management
b. Lower the Opex of Security Management
1. Central event correlation manager
2. Central resource manager
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 21. Enterprise Security Solutions
User Aware Key Business Critical
Mobile Users Security
Network Security Application Security
Pre/post Web
Nonstop Laptop
admission Services
guardian
control Gateway
Data/Converged Network service Systems Integrators
VARS providers
SIP is perhaps the latest and effective digital bridge of all known
bridges
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 22. Enterprise Applications
PECaBoo
Personal Call Manager
Allege – WorkTrack/
Field Supervisor
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 23. iLocator Features
A location-based track application / platform
A Location-based Service Product from
A Location-based Service Product from
Bell Labs Research & Mobility/IN
Bell Labs Research & Mobility/IN
Tracks people/events/places on a map
People: Track buddies within a vicinity
Events: Track if there is a sale or a traffic-jam
nearby
Places: Display preferred shops, ATMs, gas stations,
and restaurants in the user’s vicinity
Enables custom services targeting enterprises,
families, govt.
For example, TeenTracker, FleetTracker,
DirectionFinder
Supports SMS’ing from within the application
Works across network types, location
techniques, handsets
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 24. Consumer Applications >> Data Messaging
PhonePages PeCaBoo
A phonepage is a light-weight home
page added to your phone number Displays in connection with
phone calls
Subscribers push their pages to Different features at different
callers and receive pages on calls events (for example, calling,
rejected, busy)
from other subscribers
Displays in multiple formats (for
Drives data session usage by letting example, WAP, SMS, e-mail, etc.)
subscribers surf during and after
calls
Servicesused
Multiparty Call Control
User Interaction (WAP Push, SMS)
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 25. Enterprise Applications >> Data Messaging
EWay
Provides remote and secure access to
enterprise networks for mobilizing and
telecom-enabling enterprise IT applications
and systems
Supports communication capabilities such a
messaging, call management, content Mobile internet and IVR access to MS
charging, presence and availability Exchange and Outlook
management, and universal service access Outbound call management with
click- to-dial and voice activated
through, web, WAP and interactive voice dialing from contact lists
Servicesused
Call Control
User Interaction
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 26. Consumer & Enterprise Applications
Fuzion
End-users specify personal preference to manage their
communication needs.
Ability to define personal profile (at home, office,
travel, can be reached at, etc) and instruct the
system to handle incoming calls for call routing, call
screening and notification treatment
Supports Personal communication portal (PCP) for
personal address book, calendar, messages storage via
Web, WAP and Voice interfaces
Servicesused
Call Control
User Interaction
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 27. Edge Protection
• Deployed at the edge of your network as your first line of defense
• Provides Multi and Blended threat security along with securing VOIP
• Protects critical VOIP (H.323, SIP) resources from attacks
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 28. SIP Security and Value
Focused approach on key areas where SIP
Value Security can bring value through:
Flexibility Innovation By virtue of being a open
Your Text here
Your Text here
protocol, it paves way for innovation
Your Text here
Innovation
Your Text here
Flexibility of deployment choices,
modularity and openness (ecosystem)
User Aware Key Business Critical
Mobile Users Security
Network Security Application Security
Most flexible Unique solution Industry first to
solution to allow solving the mobile provide stateful
user pre and post blind spot policy enforcement
admission control across organization
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 29. The Alcatel-Lucent VPN Firewall - Made for
Global Scalability
Managed Service Clients
VLAN 100 VLAN 200 VLAN 300 VLAN 400
Extranet Server SAP Server Mail ServerPublic Server
Existing
Router
Existing
Router VPN Firewall
Existing
Router Brick® 50-150
Data Center Existing
Router
Services Existing
Router
Existing
VPN Firewall VPN Firewall Router
Brick® 1100 Brick® 1100 ALSCS
ALSMS Existing
IP Network Router
Existing
Router
Existing VPN Firewall
Core A Router
Existing
Brick® 700
Active/Active Router
Existing
Management Router
Existing
ALSMS Router
Core B Existing
ALSCS Router
Existing VPN Firewall
Centralized Management VPNRouterExisting Brick® 1200
Firewall
Existing
Brick®RouterExisting
20
Router
With ALSMS Existing
Router Router
Existing Existing
Router Router
Existing
Router
Existing
Router
Existing
Customer A Router
Existing
Customer
Router B Customer C
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 30. The Alcatel-Lucent Security Portfolio in the Enterprise
Technology
• ALVF with SRM/PDG/RBR
Global Offices • Evros
Headquarters
• CloudControl
Alternate
Data Center • Vital ISA (SEM)
Network Cloud
• Vital AAA/QIP/Endforce
• AWARE
• Identity Management
• Security Prof Services
Primary Manufacturing • Managed Security Services
Data Center Center
Consultants
Mobile
Workforce
SOC - 24X7
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 33. Applications - Reach Me “AnyWare”
Jacques owns a Real Estate Agency and wants to be reachable for
Jacques owns a Real Estate Agency and wants to be reachable for
(important) clients any time, anywhere – independent of the network
(important) clients any time, anywhere – independent of the network
he is connected to.
he is connected to.
He wants to use his convenient, high-quality
wireline phones whenever he is in the office
or at home
He uses his mobile phone when he is
Home in Evry traveling
He wants to be reached at his current
location, whether the caller dialed his
office, home, or mobile number
Jacques
He sometimes must change his regular
(Owner) schedule/preferences to serve important
Office in Sorbonne
clients
(1pm – 5pm)
Main Office in Concorde Jacques’ Mobile Pierre - less Michelle -
(8am – 12pm) Phone important client important client
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 34. Encryption
Symmetric Symmetric Encryption used for
Encryption and decryption use the Payload encryption (ESP)
same key
Packet authentication (AH & ESP)
Key must be secret (secret key)
Best known: DES, AES, IDEA, Blowfish,
RC5
Asymmetric Asymmetric Encryption used for
Also known as Public Key Encryption Initial peer authentication in IKE
Encryption and decryption keys are Key exchange in IKE
different
One key is public the other is private
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 35. Conventions
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 37. Asymmetric Encryption
Two complementary keys
Private key (kept secret – usually protected by passphrase)
Public key (published) – Problem: Authenticity
Basic Premises
Keys are not computable from each other
Encryption with one key can only be reversed with the other key
Best known examples
RSA & ECC, DSA for signatures
Used in
(Open)PGP (Pretty Good Privacy) for digital signatures and encryption
PKI (Public Key Infrastructure) – e.g. certificates for web servers & SMIME
RSA Rivest Shami Adleman, ECC – Eliptic Curve Cryptography, DSA – Digital
Signature Algorithm
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 39. Hash Functions
Hash Functions
Produce hash values for data access or security
Hash value: Number generated from a string of text
Hash is substantially smaller than the text itself and typically fixed length
Basic Premises:
Unlikely that other text produces the same hash value (collision resistance)
Unidirectional (cannot calculate text from hash)
Provides: Integrity & Authentication
Best known: SHA-1 & MD5 •Example:
•$ echo The quick brown fox jumps over the lazy dog. | md5sum
•0d7006cd055e94cf614587e1d2ae0c8e *-
•$ echo The quick brown fox jumps over the lazy dog! | md5sum
•54828ad41cf232a5c374689e2f06d3af *-
SHA – Secure Hash Algorithm, MD5 – Message Digest
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 43. SSH-2 Protocol Stack & Connection establishment
SSH-2 comprises of multiple flexible hierarchical protocols.
SSH SSH Connection SSH File Transfer
Authentication Protocol Protocol (SSH-SFTP)
Protocol (SSH-CONN)
(SSH-AUTH)
SSH Transport Layer Protocol (SSH-TRANS)
TCP/IP
Connection Establishment
1. SSH-TRANS – Authenticates host and does the initial key negotiations
2. SSH-AUTH – Authenticates user via flexible methods - Optional
3. SSH-CONN – Channel based services layer for – multiple channels simultaneously
4. SSH-SFTP – For remote file operations – Specific applications
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007
- 44. Summing UP
1. Security is Ever Pervasive
2. SIP is no exception
3. SIP CIA Model
4. The ‘Always ON’ Model at Work
5. Call Flow Scenarios with built in SIP Security
Alcatel-Lucent – Proprietary
All Rights Reserved © Alcatel-Lucent 2007