Download Securing VoIP and PSTN from Integrated Signaling

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

CAN bus wikipedia , lookup

Asynchronous Transfer Mode wikipedia , lookup

IEEE 1355 wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Wireless security wikipedia , lookup

Deep packet inspection wikipedia , lookup

Internet protocol suite wikipedia , lookup

Net bias wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Distributed firewall wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Computer network wikipedia , lookup

SIP extensions for the IP Multimedia Subsystem wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Network tap wikipedia , lookup

Routing in delay-tolerant networking wikipedia , lookup

Airborne Networking wikipedia , lookup

Transcript
Securing VoIP and PSTN
from Integrated Signaling
Network Vulnerabilities
Hemant Sengar, George Mason University
Ram Dantu, University of North Texas
Duminda Wijesekera, George Mason University
Background :
Integration of Voice and Data Network
?
PBX
PUBLIC SWITCHED
TELEPHONE NETWORK
(PSTN)
Telephone
Modem
IDC
Fax
IP Phones
Mobile Switching Center
Comm. Tower
?
IP Gateway
Cell Phone
Pager
Internet
IP Phones
Public Switched Telephone Network
SS7 Protocol Stack
ASE
OMAP
TCAP
ISDN User Part
Signaling Connection Control
Part (SCCP)
Message Transfer Part Level 3
(Network Layer)
Message Transfer Part Level 2
(Data Link Layer)
Message Transfer Part Level 1
(Physical Layer)
MTP
Integrated IP and SS7 Network
Interconnect IP Network to SS7 Network
SIP
Proxy
Server
Router
?
SIP Network
IP Link
Mobile Devices
with VoIP
Media
Gateway
Controller
Enterprise Network
SS7 Network
SIGTRAN
based Link
Carrier Networks
SIGTRAN Protocol Suite
TCAP
MTP3
M2PA
M2UA
ISUP
SCCP
M3UA
TCAP
ISDN
SUA
IUA
Adaptation
Layer
SCTP
Signaling
Transport
IP
Internet
Protocol
SS7 over IP
SIGTRAN
Architecture
M2PA in Signaling Transport
Service Switching
Point (SSP)
ISUP
Signaling
Gateway (SG)
Media Gateway
Controller (MGC)
ISUP
MTP3
MTP3
MTP3
MTP2
MTP1
SS7
MTP2
M2PA
MTP1
SCTP
IP
M2PA
SCTP
IP
IP
Network
SS7 Network Security Threats
Telecommunication Deregulation Act,1996
has opened up market
SS7 design and development carried out
in different environment from the
presently existing one.
Convergence of voice and data networks
IP Network Security Threats
Denial of Service (DoS) attacks
Spoofing, Sniffing.
Viruses, Worms etc.
Intrusion
Marriage of SS7 and IP
Exponential growth of IP Telephony

More ISPs attach to SS7 Network
Threats to Signaling Nodes


May come from SS7 side
or from IP side
Signaling Nodes are Exposed
Potential Threats due to Message Content



ISUP’s IAM message populated with Multilevel
Precedence and Preemption (MLPP) parameter
Populating CIC of IAM with 0000 value
Caller ID may be spoofed
Contd…
Signaling Nodes are Exposed
MGC is used to bridge SIP and ISUP
network


Translation of ISUP to SIP and mapping of
ISUP parameters into SIP headers
Blind interpretation
Signaling Nodes are Exposed
Traffic Flow Analysis


Traffic nature, load, network topology
Subscriber’s behavior and identity
Link Status Messages in IP Network



Processor Outage
Busy
Out of Service
Signaling Nodes are Exposed
Misbehaving Node
M2PA based IPSPs have two identifiers
Violation of Protocol State Machine


Continuous Proving
Sequence of exchanged messages
Current Status :
IP Network Side
Signaling Nodes may use


SSL
or IPSec
Secure Signaling Architecture :
Signaling Gateway at the Interface
SS7 Network
IP Network
Security System
?
MTP3
MTP2
M2PA
SCTP
MTP1
IP
Secured
Tunnel
Key-1
Key-2
Secured
Tunnel
Secure Signaling Architecture :
Trust
Management
Authentication
Gateway
Screening
(Firewall)
Intrusion
Detection
Rule Changes
Re-Authentication
Trust Negotiation
Signatures
Armor
DoS/Vulnerabilities
Trust Management:
Define Service Level Agreements
Define Access control Policy
Authentication:
IETF has proposed IPSec for IP Network
Our Proposal of MTPSec for SS7 Network
Proposed Solution
Security Across MTP3 Layer
Combination of two protocol


Key Exchange (KE) Protocol
Authentication Header (AH) Protocol
Authentication Header Format
Conclusion
Provides Integrity and Authentication
solution to all signaling nodes
Enforces SLA and ACL policy at the
interface
Put checks on misbehaving entities
Thank You !