Transcription
INTERNATIONAL INTERCONNECTION FORUMFOR SERVICES OVER IP(i3 FORUM)(www.i3forum.org)Workstream “Technical Aspects”White PaperSecurity for IP Interconnections(Release 1.0) May 2011“Security for IP Interconnection”, Rel. 1.0i3 Forum Proprietary Document1
Executive SummaryTo facilitate the transition to IP of international voice interconnections there is a requirement to ensure thatconnections are secured properly against security threats and fraud. This document aims to provide anintroduction to security for carriers and service providers involved in international VoIP interconnections tohelp understand the environment, security challenges and appropriate responses.In order to achieve this goal, this document covers the following: Security Trust Model Current security threats Specific information on threats to IP services Security mechanisms for threat mitigation Security mechanism deployment recommendations Policy recommendationsThis document concentrates on security of VoIP interconnections and does not cover organizational IT andnetwork security.The trust model establishes zones to understand security requirements of devices: Trusted Zone – internal network elements solely under the control of the carrier or service provider Trusted But Vulnerable Zone – network elements that are placed at the Trusted Zone border thatmay have shared control Un-trusted Zone – network elements in the wider network that have unknown control andconfigurationThreats discussed include DoS attacks, network intrusion and theft of service. The particular sensitivities ofthe service interfaces involved in VoIP interconnections are reviewed for: SIP/SIP-I interface RTP interface SIGTRAN interface ENUM interface Routing & Addressing Provisioning interfaceMechanisms are described and appropriate recommendations are given for the securing of the serviceinterfaces in both: Private-oriented interconnection Public-oriented interconnectionPolicy recommendations include the creation of a security code of conduct with an interconnection partnerand appropriate processes to handle internal security and fraud.“Security for IP Interconnection”, Rel. 1.0i3 Forum Proprietary Document2
Table of Contents1Scope of the Document .52Objective of the Document .63Acronyms .74References .95Security Trust Model .105.1Trusted Zone .105.2Trusted But Vulnerable Zone .105.3Un-trusted Zone.105.4Interconnection Trust Model .116Security Threats .126.1DoS/DDoS Attack .126.2Protocol Vulnerabilities .136.3Address/Identity Spoofing .146.4Theft of Service .156.5Rogue Media .166.6Session Hijacking .166.7Network Intrusion.176.8Internal Security Issues .177Review of Service Security.197.1Voice Services.197.1.17.1.2Theft Of Service & Fraud. 19DoS Attacks. 197.2SIGTRAN Services.197.3Routing & Addressing Query Services .207.3.1ENUM/DNS . 207.4Routing & Addressing Database Provisioning Services.208Security Mechanisms.218.1Topology Hiding .218.2Encryption.218.3Authentication.228.4Access Control Lists .228.5Reverse Path Filters .238.6Traffic Policing .238.7Application Level Relaying .248.8Deep Packet Inspection .248.9Secure RTP (SRTP) .258.10DNS Security (DNSSEC).25“Security for IP Interconnection”, Rel. 1.0i3 Forum Proprietary Document3
8.11Media Filtering .258.12Firewalls .268.13Intrusion Detection Systems.268.14Device Hardening .268.15Logging and auditing .278.16Security Information and Code Updates .278.17Threat Mitigation by Mechanism Matrix.289Implementation Recommendations.299.1Transport Configurations .299.2Use of Border Functions.299.3General Security Recommendations.299.4Internal Policy Recommendations perations/Security Partitioning. 29Fraud Management . 30Vendor/3rd Party Support Access . 30Interconnection Security Policy Recommendations .30Minimum Required Security . 30Acceptable Use Policy. 30Security & Fraud Procedures . 30Recommendation Matrixes.31Recommendations for External Service Interfaces . 31Recommendations for Routing & Addressing Provisioning and Other Interfaces . 3310Security Best Practices & Processes .3410.1Applicable Standards and Literature .34Annex A – Example of Security Code of Interconnection.35Appendix A – Internal Security Examples .36App-A1App-A2App-A3Example: Allowing an anonymous source. 36Example: Border Function Tromboning. 36Example: Removal of Traffic Constraints . 37Appendix B – Deep Packet Inspection (DPI) Layer 5 – 7 Countermeasures .38App-B1App-B2App-B3App-B4Filtering of Signalling (aka Method-Proofing) . 38Spoof-Proofing (Origin Authentication). 38Media Pin Holing . 38Protocol Fuzz-Proofing (Protocol Robustness) . 39Figures:Figure 1:Figure 2:Figure 3:Figure 4:Figure 5:Figure 6:Figure 7:Interconnection Trust ModelHigh Volume Identity SpoofingLow Volume Identity SpoofingIncorrect Source AddressBorder Function Traffic MixingAllow anonymous source addressBorder function tromboningMatrix:Matrix 1:Matrix 2:Matrix 3:Threat Mitigation by Mechanism MatrixRecommendations for External Service InterfacesRecommendations for Routing & Addressing Provisioning and Other Interfaces“Security for IP Interconnection”, Rel. 1.0i3 Forum Proprietary Document4
1Scope of the DocumentThe scope of this document is to discuss the security of VoIP interconnection used for the transport ofinternational voice traffic and related services between carriers and service providers. This includes thesecurity of VoIP signalling interfaces using the SIP or SIP-I protocols, VoIP audio path interfaces using theRTP protocol, messaging and signalling services using the SIGTRAN protocol, routing and addressingqueries using the ENUM DNS protocol and routing/addressing provisioning interfaces.This is consistent with the services discussed in the i3 Forum Technical Interconnection Model forInternational Voice Services [1].This document is limited to security threats relevant to VoIP interconnections operating as carrier to carrierNNI and service provider to carrier NNI, and the impact on the service interfaces. The document takes intoaccount the relevant literature for VoIP security.This document does not discuss the requirements for general IT and network security within a carrier orservice provider organization except where that is relevant to the security of VoIP interconnections.This document does not discuss the requirements of local regulations related to network security and theuse of the security mechanisms by carriers and service providers.“Security for IP Interconnection”, Rel. 1.0i3 Forum Proprietary Document5
2Objective of the DocumentThe objective of this white paper is to provide helpful practical information for carrier and service providerorganizations to secure VoIP interconnections and associated component service interfaces.The security threats commonly encountered on the Public Internet are described and discussed withreference to the component services of VoIP interconnections. Types of mechanisms for the protection ofcomponent service interfaces are discussed and recommendations given for minimum, recommended andoptional configurations for applying these mechanisms. Information on security policies appropriate for VoIPinterconnections are also given together with information on fraud.“Security for IP Interconnection”, Rel. 1.0i3 Forum Proprietary Document6
HLRIBCFIBGFICMPIDIDSIMSIPSecISPIPv4IPv6MAC addressMAPMD5MGMITMMPLSNAPTNATNE’sNISCCNIST CSRCNNINOCNTPOSOSSP-CSCFPSTNAccess Control ListAsymmetric Digital Subscriber LineAdvanced Encryption StandardApplication Server/Web ServerAcceptable Use PolicyBack-to-Back User AgentBorder Gateway ProtocolBase Station RouterBusiness Support SystemCall Data RecordComputer Emergency Response TeamCall Handling FunctionCall Line IdentificationCentral Processing UnitCommand SequenceDomain Border ElementsDistributed Denial of ServiceDomain Name SystemDomain Name System Security ExtensionsDenial of ServiceDeep Packet InspectionElectronic NumeringEncapsulated Security PayloadFile Transfer ProtocolGlobal System for Mobile communicationsGSM (Global System for Mobile) AssociationHome Location RegisterInterconnection Border Controlling FunctionInterconnection Border Gateway FunctionInternet Control Message ProtocolIdentificationIntrusion Detection SystemIP Multimedia SubsystemInternet Protocol SecurityInternet Service ProviderInternet Protocol Version 4Internet Protocol Version 6Media Access Control addressMobile Application PartMessage-DigestMedia GatewayMan In The MiddleMulti Protocol Label SwitchingNetwork Address & Port TranslationNetwork Address TranslationNetwork ElementsNational Infrastructure Security Coordination CentreNational Institute of Standards and Technology ComputerSecurity ResourceNetwork to Network InterfaceNetwork Operations CenterNetwork Time ProtocolOperating SystemOperating Support SystemProxy-Call Session Control FunctionPublic Switched Telephone Network“Security for IP Interconnection”, Rel. 1.0i3 Forum Proprietary Document7
CPTDMTLSUDPVLANVoIPVPNRivest, Shamir and Adleman (first publicly describedsource of the algorithm for public-key cryptography)Real Time Control ProtocolReal Time ProtocolSession Border ControllerSession Description ProtocolSignaling Gateway FunctionSignaling TransportSession Initiation ProtocolSIP with encapsulated ISUPSimple Network Management ProtocolSimple Object Access ProtocolSecure Real-time Transport ProtocolSignalling System 7Transmission Control ProtocolTime Division MultiplexingTransport Layer SecurityUser Datagram ProtocolVirtual Local Area NetworkVoice over IPVirtual Private Network“Security for IP Interconnection”, Rel. 1.0i3 Forum Proprietary Document8
[13][14][15][16][17][18][19]i3 Forum ”Technical Interconnection Model for International Voice Services”, Release 4.0,May 2011ITU-T Recommendation Y.2701 Security requirements for NGN phase 1ITU-T Recommendation Y.2704 Security mechanisms and procedures for NGNIETF RFC 3261 “SIP: Session Initiation Protocol”, June 2002GSM Association IR77 “Inter-Operator IP Backbone Security Requirements for ServiceProviders and Inter-operator IP backbone Providers“ Release 2.0 15 October 2007“Principles, Systems and Applications of IP Telecommunications. Services and Security forNext Generation Networks,” October 2008, ISBN: 978-3-540-89053-9; IPTComm July 2, 2008published articles by Ormazabal and Schulzrinne, et al: “Secure SIP: A Scalable PreventionMechanism for DoS Attacks on SIP Based VoIP Systems,” and; “Large Scale SIP-awareApplication Layer Firewall (see 08/ andhttp://www.cs.columbia.edu/ hgs/papers/Yard06 Large.pdf)ATIS Document ATIS-1000026.2008 Session/Border Control Function Definition andRequirements, August 2008NISCC Vulnerability Advisory 004033/NISCC/IPSEC “Vulnerability Issues with IPSecConfigurations”, May 2005IETF RFC 2663 “IP Network Address Translator (NAT) Terminology and Considerations”,August 1999IETF RFC 2401 “Security Architecture for the Internet Protocol”, November 1998IETF RFC 2246 “The TLS Protocol”, January 1999NIST (National Institute of Standards and Technology) “Advanced Encryption Standard (FIPS197)” , November 2001IETF RFC 5853 “Requirements from Session Initiation Protocol (SIP) Session BorderController (SBC) Deployments”, April 2010IETF RFC 3711 “Secure Real-time Transport Protocol (SRTP)”, March 2004IETF RFC 6189 “ZRTP: Media Path Key Agreement for Unicast Secure RTP”, April 2011IETF RFC 4033 “DNS Security Introduction and Requirements”, March 2005IETF RFC 4034 “Resource Records for the DNS Security Extensions”, March 2005IETF RFC 4035 “Protocol Modifications for the DNS Security Extensions”, March 2005IETF RFC 1321 “MD5 Message-Digest Algorithm”, April 1992“Security for IP Interconnection”, Rel. 1.0i3 Forum Proprietary Document9
5Security Trust ModelThis section defines and describes the i3 Forum security trust model. This model is useful for understandingthe general requirements for securing VoIP interconnections.Within the trust model there are 3 security zones: Trusted Zone Trusted But Vulnerable Zone Un-trusted ZoneThese zones are defined by the operational control of the carrier / service providers, by the location of thespecific network element and their connectivity to other network elements. This model is consistent with thetrust model described in ITU-T Y.2701 [2].5.1Trusted ZoneThe Trusted Zone is a zone where a carrier / service provider's network elements and systems reside.Trusted zone elements and systems never communicate directly with external domains such as thenetworks of interconnected partners. The following are characteristics of network elements in the TrustedZone: Located in the carrier / service provider’s domainUnder the full and sole control of the carrier / service providerCommunicate only with other Trusted Zone or Trusted But Vulnerable Zone elements.However, it should not be assumed that because an element is in the Trusted Zone it is secure, TrustedZone elements should be protected by a combination of various methods. For example elements may beprotected by physical security, system hardening, use of authenticated and encrypted signalling or aseparated logical network for communication within the Trusted Zone and with network elements in theTrusted But Vulnerable Zone.5.2Trusted But Vulnerable ZoneThe Trusted But Vulnerable Zone is a zone where network elements are operated by the carrier / serviceprovider; but are not necessarily fully controlled by that carrier / service provider. The following arecharacteristics of network elements in the Trusted But Vulnerable Zone: Located within or outside service provider locationsMay be under the control of partners, customers or the carrier / service providerCommunicate with Trusted Zone or Un-trusted Zone elementsThe role of elements within the Trusted But Vulnerable Zone is to protect the elements in the Trusted Zonefrom the security attacks originated in the Un-trusted Zone. Elements within the Trusted But VulnerableZone that provide connectivity between the Trusted Zone and Un-trusted Zone, located within the carrier /service provider’s domain, are referred to as Network Border Elements. For VoIP interconnections these areBorder Function elements.Elements within the Trusted But Vulnerable Zone should be protected by a combination of various methods,as with Trusted Zone elements.5.3Un-trusted ZoneThe Un-trusted Zone is the zone which includes the network elements belonging to other carriers, serviceprovider or end customers; all other elements not in the Trusted Zone or Trusted But Vulnerable Zonebelong to the Un-trusted Zone. The following are characteristics of network elements in the Un-trusted Zone:“Security for IP Interconnection”, Rel. 1.0i3 Forum Proprietary Document10
Located typically carrier / service provider locationsMay be under the control of anybody, including unknown entitiesShould communicate with the Trusted But Vulnerable Zone onlyCarrier / service provider does not control security policy or may only partially control itElements within the Un-trusted Zone cannot be fully secured by the carrier / service provider.5.4Interconnection Trust ModelFigure 1 shows the zones within the trust model applied to an interconnection between two service providersor carriers:Figure 1: Interconnection Trust ModelThe carrier within this model would see the interconnecting carrier or service provider as being within theUn-trusted Zone and equipment used to communicate with the interconnecting carrier or service providerwould be in the Trusted But Vulnerable Zone; this is true regardless of whether the interconnection is Publicor Private.In the i3 Forum Technical Interconnection Model for International Voice Services [1] document the generalreference architecture is discussed in section 5. The security model can be linked to the referencearchitecture as follows, with reference to figures 1 and 2 in section 5: Call Handling Functions (CHF), Media Gateway and OSS/BSS Systems etc. are in the TrustedZone.Border Functions (IBCF and IBGF) and SIGTRAN SGF are in the Trusted But Vulnerable ZoneOther carrier or service provider systems are in the Un-trusted Zone.“Security for IP Interconnection”, Rel. 1.0i3 Forum Proprietary Document11
6Security ThreatsThis section discusses some of the threats that may be seen by carriers and service providers using VoIPinterconnections: DoS/DDoS Attack Protocol Vulnerabilities Address/Identity Spoofing Theft of Service Rogue Media Session Hijacking Network Intrusion Internal Network Security6.1DoS/DDoS Attack DefinitionDenial of Service (DoS) attacks aim to make unavailable, or degrade the performance of, networkconnectivity or services. A Distributed Denial of Service (DDoS) is a type DoS attack which originates frommany sources to make it more difficult to mitigate and protect against. This section will use DoS attack torefer to both DoS and DDoS attacks and primarily discusses DoS attacks against signalling and mediainterfaces present in VoIP interconnections.There are two classes of DoS attacks: General DoS Attacks Targeted DoS Attacks General DoS AttacksGeneral DoS Attacks aim to overwhelm network elements and cause the maximum amount of disruption.Methods include message amplification and targeted triggering of resource-intensive tasks i.e. an attackermay flood a Border Function system with fake SIP INVITE messages [4] which will consume large amountsof system resources. Attackers may also attempt to exhaust the capacity of network links to the targetelements to prevent access. Targeted DoS AttacksTargeted DoS attacks aim to block access for a particular interconnection or group of interconnections.Methods include launching repeated unsuccessful authorization attempts using the target’s identity to triggeractivation of network protection mechanisms, such as account lockouts and fraud prevention systems.Both types of DoS attacks may be combined with Address Spoofing techniques to increase effectiveness;Address Spoofing is discussed in section 6.3. DiscussionDoS attacks continue to be a problem on the Public Internet and it is common for attackers to use networksof infected hosts i.e. ‘zombie hosts’ or ‘bot-nets' to create large volume attacks. These attacks canoverwhelm load balanced cluster systems and network links when they get very large; attacks have beenseen on the Public Internet at the 50Gbps level. Such large scale attacks are very difficult to protect against.However, attacks against VoIP infrastructure, such as Border Function systems, often require only smallamounts of signalling traffic. E.g. a 2Mbps SIP INVITE attack, which can be generated by a single user,could be at a rate of 300 messages per second which may overwhelm unprotected Border Functionsystems. The effectiveness of attacks may be further increased by targeting exception handling with thetarget system e.g. by causing authorization failures which are often not optimized which can reduce furtherthe amount of traffic required to disable the system. Attacks may also be handled correctly by BorderFunction systems, but cause further problems inside the network e.g. in MG systems or SS7 networkelements. It is important therefore to be able to protect against attacks of small and medium sizes.DoS attacks are most likely to occur when Border Function or MG systems are connected to the PublicInternet with unsecured network connections. With private interconnections the risk is reduced, but noteliminated, as DoS traffic may originate inside a partner network or can be leaked through routing if BGP“Security for IP Interconnection”, Rel. 1.0i3 Forum Proprietary Document12
network advertisements are provisioned incorrectly. Further, if public and private interconnection systemsare shared, e.g. when using a shared VLAN trunk, a DoS attack affecting public interconnections couldcause outages for private interconnections.Mitigation measures include load balancing/clustering to provide sufficient system scale to absorb attacks,the implementation of detection system to analyse attacks, cleaning systems that can use the results ofanalysis to remove attack traffic and coordination with upstream security teams to remove attacks beforethey reach targeted network elements.6.2Protocol Vulnerabilities DefinitionProtocol vulnerability threats use intentionally crafted messages to disable a service/system or gain accessto a system. This is often associated with the production of malformed messages but may include thegeneration of messages that have correct syntax but are out of sequence with other messages, which maycause system errors, e.g. by making a software finite state machine confused.Protocol vulnerabilities can be categorized into the following types: Protocol Implementation VulnerabilitiesProtocol Design and Specification VulnerabilitiesArchitectural Vulnerabilities. Protocol Implementation VulnerabilitiesThese are normally product specific and include, but are not limited to: default or poor configuration settings;buffer overflows and inadequate or non-existent security controls in the product. Implementationvulnerabilities are “short-term” vulnerabilities since the mitigation strategy is usually provided by therespective vendor within a short time in the form of a patch or workaround. This is normally shorter than thetime it takes to address a design or architectural vulnerability, which may involve several organizationsincluding standard bodies and commercial entities. Protocol Design and Specification VulnerabilitiesThese are weaknesses related to a protocol’s design including: security controls, such as integrity,authentication or confidentiality; message properties, such as headers or values and message flows.Vulnerabilities of this type are discovered by long term usage and may take a long time and be very difficultto mitigate. Architectural VulnerabilitiesThese consist of weaknesses where the architectural design and placement of network elements and theirintercommunications can allow an attacker to launch attacks. These are also discovered over long termusage and difficult to mitigate. DiscussionAll protocols and associated implementations can be subject protocol vulnerabilities including: SIP/SIP-I,SIGTRAN, RTP/RTCP, IPSec and ENUM DNS. The more commonly used a protocol or implementation themore vulnerabilities that have been discovered and the more likely it is that mitigation for thosevulnerabilities exists.Attempts to exploit vulnerabilities typically enter the network via Public Internet interfaces and may beenhanced by Address Spoofing techniques to defeat security mechanisms such as ACLs. However, theymay also originate from public or private partner interconnects due to differences in implementations thatallow one implementation to pass unnoticed a malicious packet to a target implementation, because of thissources may be difficult to identify.“Security for IP Interconnection”, Rel. 1.0i3 Forum Proprietary Document13
6.3Address/Identity Spoofing DefinitionSpoofing is where an attacker uses the forged identity of another system or network element to gainunauthorized access or bypass other security mechanisms. In an IP network this identity is typically an IPaddress or MAC address however, there may be other forms of identity in use, such as dialled numberprefixes or reverse DNS records.
FOR SERVICES OVER IP . Workstream "Technical Aspects" White Paper Security for IP Interconnections (Release 1.0) May 2011 "Security for IP Interconnection", Rel. 1.0 2 i3 Forum Proprietary Document Executive Summary To facilitate the transition to IP of international voice interconnections there is a requirement to ensure that
