Download 1)VoIP-talk-Bhavani - The University of Texas at Dallas

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
Document related concepts

Resource Description Framework wikipedia , lookup

World Wide Web wikipedia , lookup

Knowledge representation and reasoning wikipedia , lookup

Semantic Web wikipedia , lookup

Transcript 
Voice Over IP Security and
Secure Semantic Web
Dr. Bhavani Thuraisingham
The University of Texas at Dallas
November 15, 2005
Outline
 PART I:
- Voice over IP (VoIP) Security
 PART II
- Secure Semantic Web for VoIP Applications
VoIP Security: Concepts
 Overview of VoIP
 VoIP Security Issues
 Reference:
- NIST Report on VoIP Security
- Secure Voice Over IP: Developments and Directions

Technical Report, The University of Texas at Dallas, To
appear

Authors: Bhavani Thuraisingham, Ramya Ramamurthy and
Siddhartha Gandhi
VoIP: Overview
 Voice over Internet Protocol (VoIP) technology in general
refers to the set of software and hardware standards that
enable “voice” to be transported, with the help of the Internet
Protocol (IP).
 Apart from IP, VoIP also uses Real-Time Protocol (RTP), to
ensure that the packets are delivered in a timely fashion
 It is the assembling of voice into IP data. This data can be
transmitted over an IP network to an addressable destination.
 This means sending voice information in digital form in
discrete packets rather than in the traditional circuitcommitted protocols of the public switched telephone
network
VoIP: Overview - II
 Advantages:
-
It avoids the tolls charged by ordinary telephone service.
VoIP phone bills are typically cheaper than traditional
phone bills.
VoIP includes greater flexibility
 Disadvantages
- VoIP should not be installed without careful consideration
of security problem introduced.
Sound quality and reliability are some other weak points
of this technology; Although the quality service of VoIP is
improving, it still cannot match that of PSTN.
- Initial setup cost - Although there are low cost and even
no-cost ways to transmit voice over IP, a company serious
about VoIP will have to invest heavily in one or more VoIP
devices.
-
VoIP: Protocols
 H323
- Audio CODECs; Video CODECs; H.225 RAS; H.225 call
signaling; H.245 Call Signaling; H.245 Control Signaling;
Real-time Transfer Protocols; Real-time Control Protocol
(RTCP)
- Protocols for voice, video and data conferencing over
packet switched networks such as Internet
 Session Initiated protocols (SIP)
SIP Components: User Agent and Network Server
Standards for setting up sessions between clients
 MGCP Media Gateway Control protocol
- Eliminates complex processor intense IP Telephony
devices
-
VoIP: Security
 With VoIP the two main assets that need to be protected, are
data and voice.
 Unlike telephone lines, where the voice traffic is not always
encrypted, except by certain security-sensitive organizations,
the voice and data that are sent through VoIP needs to be
encrypted always.
 This is mainly because the voice and data go across the
internet, where anyone can capture the packets meant for
someone else.
 Layers of defenses are needed to protect the voice calls
because the dynamic nature of VoIP network parameters
creates potential security vulnerabilities.
 Some of the commonly used security measures on data
networks include: firewalls, encryption, gateways
VoIP: Security - II
 Appropriate network architecture has to be developed so as
to keep the voice and data networks separate.
 There should be access control and strong authentication at
the voice gateway.
 Introduction of the above also requires organizations to find a
way to carry voice traffic through them.
 This may sometimes bring performance problems.
 A way to reduce the performance problems upon introducing
firewalls, such as application-level gateways is to use Internet
protocol security (IP sec) virtual private network at the router
or gateway.
VoIP: Security - III
 Need to assess, manage and mitigate risks that arise when VoIP is
implemented.
 Special considerations should be given to certain emergency
services like 911; As VoIP is packet-switched, 911 automatic location
services are not available with VoIP in some cases.
 Organizations need to ensure that physical controls are in place to
prevent access to VoIP network components.
 Organizations should have sufficient backup power systems
availability at the VoIP network switch and desktop.
 VoIP systems incorporate an array of security features and
protocols.
 The WiFi Protected Access (WPA) security protocol should be
deployed by organizations that intend allowing wireless access to
their VoIP network.
VoIP: Security – Application Attacks
 By spoofing a user’s identity, a potential attacker can cause
an attack known as the Denial-of-Service in SIP-based VoIP
networks.
- A denial-of-service attack can use up the entire resources
by exhausting the IP addresses of the server in a VoIP
network
 Man-in-the-middle attacks are possible by an intruder thereby
modifying the original communication between the calling
and called party.
 An attacker with the local access to the VoIP network may
overhear the network traffic and interpret the voice
conversations taking place between the two parties.
 An attacker can masquerade as a valid user and use the VoIP
network to make free long distance calls.
VoIP: Security – Denaila of Seervice (DoS)
Attacks
 A denial-of-service attack is basically an attack on any IP
network that causes a loss of service to its users.
 There are basically three types of this attack.
- Consumption of the computational resources, such as
disk space, bandwidth etc
Interference with the physical network components.
- Corruption of configuration information.
 The network can be attacked by flooding the network with
bogus packets, thereby not letting legitimate traffic to flow.
 If the DoS is conducted in a huge and complex network, the
entire network connectivity may have to be compromised by
incorrectly configured network.
-
VoIP: Security – Solutions to Denial of Service
(DoS) Attacks
 Change the IP address of the end machine.
- This is possible only if there is a single target machine. The new
address can be updated in the internal servers.
- This method is not quite possible, if the target involves many
machines.
 A firewall can stop a limited amount of DoS attacks.
- A firewall can filter out attacks aimed at exploits in the OS
 Filtering.
- There might a specific
signature to the traffic; examination of
these captured packets may reveal the possibility of an attack.
Once its known that, an attack would have been possible, one
might temporarily block all the traffic from that source.
- This might lead to blocking
some of the “real” and legitimate
packets. This is the major drawback of the filtering method.
VoIP: Security – Solutions to Denaila of Seervice
(DoS) Attacks
 Change the IP address of the end machine.
- This is possible only if there is a single target machine. The new
address can be updated in the internal DNS servers.
- This method is not quite possible, if the target involves many
machines.
 A firewall can stop a limited amount of DoS attacks.
- A firewall can filter out attacks aimed at exploits in the OS
 Another technique is filtering.
- There might a specific
signature to the traffic; examination of
these captured packets may e reveal the possibility of an attack.
Once its known that an attack would have been possible, one
might temporarily block all the traffic from that source.
- This might lead to blocking
some of the “real” and legitimate
packets. This is the major drawback of the filtering method.
Security in SIP
 Authentication and Authorization
- Authentication and Authorization is handled in SIP either on
request-by-request basis or challenge/response pairs.
- SIP
provides a standard challenge based authentication
mechanism for authentication.
- Any time the proxy server or the user Agent receives a request
it may challenge the client for its credentials.
- The
client may provide its credentials to the proxy server
before it receives the authentication required message from
the proxy server but not after that.
- Framework
of SIP authentication closely resembles that of
HTTP.
 Solutions for
- Tampering message bodies, Tearing down messages, Denial
of service, Registration hijacking, Impersonating a server
Summary and Directions
 VoIP is the way for communicating voice
 Security is critical
 Both access control and malicious corruption including denial of
service threats have to be investigated
 SIP security is critical
 Security for VoIP and also SIP is in the initial stages
 Need to manage the Voice Information
Secure Semantic Web: Overview
 According to Tim Berners Lee, The Semantic Web supports
- Machine readable and understandable web pages
- Enterprise application integration
- Nodes and links that essentially form a very large
database
Premise:
Semantic Web Applications = Web Database Management +
Web Services + Information Integration + Multimedia/Voice
SEMANTIC WEB must support VoIP and be SECURE
Layered Architecture for Dependable
Semantic Web
0Adapted from Tim Berners Lee’s description of the Semantic Web
S
E
C
U
R
I
T
Y
P
R
I
V
A
C
Y
Logic, Proof and Trust
Rules/Query
RDF, Ontologies
Other
Services
XML, XML Schemas
TCP/IP/HTTP/SSL
0 Some Challenges: Security and Privacy cut across all layers;
Integration of Services; Composability
What is XML all about?
 XML is needed due to the limitations of HTML and
complexities of SGML
 It is an extensible markup language specified by the W3C
(World Wide Web Consortium)
 Designed to make the interchange of structured documents
over the Internet easier
 Key to XML is Document Type Definitions (DTDs)
- Defines the role of each element of text in a formal model
 Allows users to bring multiple files together to form
compound documents
 Need XML Extensions for Multimedia and Voice
- SMIL, VoiceML
Aspects of XML Security
 Controlling access to XML documents
- Granularity of access: parts of documents, entire
documents
 Specifying policies and credentials in XML
 Third party publication of XML documents
 Encryption (www.w3c.org)
 How can we secure VoiceML?
Specifying User Credentials in XML
<Professor credID=“9” subID = “16: CIssuer = “2”>
<name> Alice Brown </name>
<university> University of X <university/>
<department> CS </department>
<research-group> Security </research-group>
</Professor>
<Secretary credID=“12” subID = “4: CIssuer = “2”>
<name> John James </name>
<university> University of X <university/>
<department> CS </department>
<level> Senior </level>
</Secretary>
Specifying Security Policies in XML
<? Xml VERSION = “1.0” ENCODING = “utf-8”?>
<Policy–base>
<policy-spec cred-expr = “//Professor[department = ‘CS’]” target =
“annual_ report.xml” path = “//Patent[@Dept = ‘CS’]//Node()” priv = “VIEW”/>
<policy-spec cred-expr = “//Professor[department = ‘CS’]” target =
“annual_ report.xml” path = “//Patent[@Dept = ‘EE’] /Short-descr/Node() and
//Patent [@Dept = ‘EE’]/authors” priv = “VIEW”/>
<policy-spec cred-expr = - - - <policy-spec cred-expr = - - -</Policy-base>
Explantaion: CS professors are entitled to access all the patents of their department.
They are entitled to see only the short descriptions and authors of patents of the EE
department
Policies for VoiceML?
Access Control Strategy
 Subjects request access to XML documents under two modes:
Browsing and authoring
With browsing access subject can read/navigate documents
Authoring access is needed to modify, delete, append
documents
Access control module checks the policy based and applies policy
specs
Views of the document are created based on credentials and policy
specs
In case of conflict, least access privilege rule is enforced
Works for Push/Pull modes
-




System Architecture for Access Control
Pull/Query
User
Push/result
X-Access
X-Admin
Admin
Tools
Policy
base
Credential
base
XML
/VoiceML
Documents
Third-Party Architecture
 The Owner is the
XML Source Credential
base
producer
of information It specifies
access control policies
 The Publisher is responsible
for managing (a portion of)
the Owner information and
answering subject queries
 Goal: Untrusted Publisher
with respect to Authenticity
and Completeness checking
policy base
SE-XML
Owner
credentials
Publisher
Reply
document
Query
User/Subject
RDF
 Resource Description Framework is the essence of the
semantic web
 Adds semantics with the use of ontologies, XML syntax
- Separates syntax from semantics
 RDF Concepts
- Basic Model
 Resources, Properties and Statements
- Container Model
 Bag, Sequence and Alternative
 RDF for Voice
RDF and Security
 XML Security for the Syntax of RDF
- Access control,
Third party publishing, Specifying g
policies and credentials
 Securing RDF Graphs
UTD research (MS and PhD work in progress)
 Securing semantics
- Approach: Take semantic specifications in RDF and
incorporate security
 Security policies embedded into the semantics
-
Ontology
 Common definitions for any entity, person or thing
 Several ontologies have been defined and available for use
 Defining common ontology for an entity is a challenge
 Mappings have to be developed for multiple ontologies
 Specific languages have been developed for ontologies including
RDF and OIL (Ontology Interface Language)
 DAML (Darpa Agent Markup Language) is an ontology and inference
language based on RDF
 DAMP + OIL; combines both languages
 Ontologies for Voice?
Security and Ontology
 Ontologies used to specify security policies
- Example: Use DAML + OIL to specify security policies
- Choice between XML, RDF, Rules ML, DAML+OIL
 Security for Ontologies
- Access control on Ontologies
 Give
access to certain parts of the Ontology
Rules ML, Inference and CWM
 Rules ML is a Rules Markup Language for specifying rules
 Inferencing is about making deductions
- Deductions based on rules specified in Rules ML or
DAML+OIL
Based on denotational logic
 CWM: Closed World Machine
- Inference engine for the semantic web written as a Python
program
 Rules ML for Voice?
-
Security and Inferencing
 Specify security policies in Rules ML
 Inferencing is part of the semantic web; deduced information could
be sensitive
 Extend CWM to handle the inference and privacy problem
- Extended Python program?
Rules Processing
User Interface Manager
Rules/
Constraints
Constraint
Manager
Query Processor:
Constraints during
query and release
operations
Update
Processor:
XML Database
Design Tool
Constraints during
database design
operation
Constraints
during
update
operation
XML Document
Manager
XML
Database
Rule-Processing (Concluded)
Technology
By Project
Interface to the Semantic Web
Inference Engine/
Rules Processor
Policies
Ontologies
Rules
Semantic Web
Engine
XML, RDF
Documents
Web Pages,
Databases
Trust and Proof
 Context
- Based on the context specify to what extent one trusts the
statements
 Digital signatures
Verifies that one wrote a particular document
 Proof
- Using proof languages we prove whether or not a
statement is true
Proofs based on logical systems
-
Security, Trust and Proof
 Extend trust management and Trust negotiation techniques
for semantic web
 Trust Services, Trust negotiation (TN)
Applicability of KeyNote and Trust-X (U of Milan),
TrustBuilder (UIUC)
 Use proof to reason about security and trust
- Is the semantic web secure?
- Is the semantic web trustworthy?
Are there security/trust violations?
-
-
Web Database Management
 Database access through the web
- JDBC and related technologies
 Query, indexing and transaction management
- E.g., New transaction models for E-commerce applications
- Index strategies for unstructured data
 Query languages and data models
- XML has become the standard document interchange language
 Managing XML databases on the web
- XML-QL, Extensions to XML, Query and Indexing strategies
 Managing multimedia and voice data
- Indexing and query strategies
Secure Web databases
 Secure data models
- Secure XML, RDF, - - - - Relational, object-oriented, text, images, video, etc.
 Secure data management functions
- Secure query, transactions, storage, metadata
 Key components for secure digital libraries and
information retrieval/browsing
 Need to secure VoIP information management
techniques
Web Services
 Web Services are about services on the web for carrying out many
functions including directory management, source location,
subscribe and publish, etc.
 Web services description language (WSDL) exists for web services
specification
 Web services architectures have been developed
 Challenge now is to compose web services; how do you integrate
multiple web services and provide composed web service in a
seamless fashion
 Web Services must support Multimedia data, including Voice
Web service architecture
Publish
Query
UDDI
Answer
Service
requestor Request the
service
Service
providers
Secure Web Service Architecture
Confidentiality, Authenticity, Integrity
BusinessEntity
<dsig:Signature>
tModel
Query
UDDI
BusinessService
PublisherAssertion
BusinessService
Service
requestor
Service
provider
BindingTemplate
Vision for Dependable Semantic Web for VoIP
Core Semantic Web Technologies:
Systems, Networks, Multimedia, Agents, AI,
Machine Learning, Data Mining, Languages,
Software Engineering, Information Integration
Need research to bring together the above
technologies
Directions:
Security/Trust/Privacy,
Integrate sensor
technologies, Pervasive
computing, Social impact
Domain specific
semantic webs:
DoD, Intelligence,
Medical, Treasury,- - -
Related documents
Job Opportunity: Tier2 Support Technician
Job Opportunity: Tier2 Support Technician
VoIP.pps
VoIP.pps
Quality Of Service
Quality Of Service
Slide 1
Slide 1
Voice over Internet Protocol: Policy Implications and Market Realities
Voice over Internet Protocol: Policy Implications and Market Realities
Voice Over IP and Security
Voice Over IP and Security
No Slide Title
No Slide Title
The Semantic Web
The Semantic Web
VIP-310S/VIP-320S/VIP-311O/VIP
VIP-310S/VIP-320S/VIP-311O/VIP
PDS Consulting VoIP
PDS Consulting VoIP