Hack.L

U 2

00

6

In SPace Nobody Can Hear You

Scream

Nicolas FISCHBACHSenior Manager, Network Engineering Security, COLT Telecomnico@securite.org - http://www.securite.org/nico/ v1

Hack.L

U 2

00

6

2

Internet-wide Security Issues

● What kept us up at night :)

● SNMP

● SQL Slammer (and friends)

● Cisco wedge bug

● BGP TCP window [not really actually]

● Botnets and DDoS

Hack.L

U 2

00

6

3

Internet-wide Security Issues

● What have we done about it ? A lot. Too much maybe ?

● Route/prefix filtering

● DDoS detection: Netflow

● DDoS mitigation: BGP (+ MPLS (+ Cleaning))

● xACLs and MPLS Core hiding

● QoS and Control Plane Policing (CoPP)

● BGP TTL trick (GTSM) and BGP TCP md5

● Unicast RPF (uRPF)

● Router security 101

Hack.L

U 2

00

6

4

Carrier Backone

cr

cr

tr

ccr

ccr

cr

ar

ar

ar cpe

cpe

cpe

cpe

cpe

cr

cr

cpe

Edge

Core

Access

Customer (access)

Customer (transit)

Router “types”

ISPy

ISPa

ISPb

tr

ISPmISPk

ppr

ISPm

ISPy

ISPj

ixpr

Transit

Peering (IX or private)

Access (/30)

Link “types”

Hack.L

U 2

00

6

5

Carrier Backbone Security

Edge

Core

Access

Customer

receive ACLs [rACL] / CoPP

infrastructure ACLs [iACL]

transit ACLs edge [tACLe]

transit ACLs access [tACLa]

Router “types”

BGP (md5 / TTL)

QoSuRPF

Hack.L

U 2

00

6

6

Carrier Backbone DDoS Detection

● Netflow (src/dst IP/port, protocol, ToS, interface - no payload, BPS/PPS/Time)

Edge

Access

Router “types”

NOC

tr

ccr

ccr

ar

ar

artr

ppr

ixpr

(Sampled) Netflow

Aggregated Netflow

Flows

(SNMP) Alerts

colle

ctor

colle

ctor

contr

olle

r

Hack.L

U 2

00

6

7

DDoS Attack Mitigation

internet Server

ircd/p2p

pee

rin

g e

dg

e

Deep Packet Inspection

Sampled Netflow

accesslayer

core

Network Level Mitigation

Data Center Level Mitigation

Hack.L

U 2

00

6

8

Carrier Backbone DDoS Mitigation

Edge

Access

Router “types”

“Attack” traffic

“Good” traffic

Flows

“Bad” traffic

cr

cr

tr

ccr

ccr

cr

ar

cr

cr

tr

ppr

ixpr

ar

insp

ect

ion

VoIP

Core

Hack.L

U 2

00

6

9

Internet-wide Security Issues

● What has really changed ?

● Route filtering : quite relax still

● DDoS detection, but weak mitigation : DDoS == background noise

● QoS : not for security, but for NGN

● CoPP : not widely deployed

● uRPF : not widely deployed

● BGP : md5 common (but useful ?), TTL-trick (the exception)

Hack.L

U 2

00

6

10

Internet-wide Security Issues

● Have we learned the lesson ?

● IPv6

● Lots of security features in software (not in hardware)

● Will we ever see SoBGP / Secure BGP ? Do we need it ?

● Going up the stack, no mitigation at network level anymore (everything on top of 80/tcp, DNS attacks, etc)

Hack.L

U 2

00

6

11

Security Features

● What's the driver ?

● How to get those features across product ranges and vendors

● Shift of features towards edge, access, last/first mile

● But these features are not (often) security features

● Devices that never “saw” the “bad” Internet

● Features vs power vs cooling

● Hardware limitations (FPGA, ASIC, NP)

Hack.L

U 2

00

6

12

Security – which future ?

● No “big” “nation-wide” “critical infrastructure” issue recently

● IP/Data network infrastructure has become a commodity (until it's down)

● No focus on infrastructure security anymore (but the wake up call will be “funny”)

● So where do people put security research and resources into ?

Hack.L

U 2

00

6

13

NGN(Next Generation Networks)

Hack.L

U 2

00

6

14

NGNs

● Next Generation Networks

● VoIP and IMS

● Ethernet/DSL services

● Converged Networks

● Moving up and down the stack at the same time

Hack.L

U 2

00

6

Internet

15

PBX Trunking over IP

FW

PRI (ISDN over E1)TDMPSTN

VoiceSwitch

TDMPSTN

VoiceSwitch H.323(/MGCP)/RTP

No NAT

Softswitch

MGW CPE

PBX

H.323(/MGCP)

MGCP

RTP

PBX

POTS

VoIP/ToIP

No NAT

T.38 (FAX)

64kUR (PBX Mgmt)

DTMF

Hack.L

U 2

00

6

TDMPSTN

Internet

16

Wholesale Voice over IP

PRI (ISDN over multiple E1s or STM-1s)TDM

PSTNVoiceSwitch

TDMPSTN

VoiceSwitch SIP/RTP

Softswitch

MGW

SIP

MGCP

RTP

POTS

VoIP/ToIP

VoiceSwitch

MGWH.323/RTP

OtherCarrierVoIPCore

SBC

Hack.L

U 2

00

6

17

Security challenges

● VoIP protocols

– No, VoIP isn't just SIP– SIP is a driver for IMS services and cheap CPEs– H.323 and MGCP (still) rock the carrier world

● Security issues

– VoIP dialects– Only a couple of OEM VoIP stacks (think x-vendor

vulnerabilities)– FWs / SBCs: do they solve issues or introduce

complexity ?– Are we creating backdoors into customer networks ?– CPS and QoS

Hack.L

U 2

00

6

18

Session Border Controller

● What the role of an SBC ?– Security– Hosted NAT traversal (correct signalling / IP header)– Signalling conversion– Media Conversion– Stateful RTP pin-holing based on signalling

● Can be located at different interfaces: Customer/Provider, inside customer LAN, Provider/Provider (VoIP peering)

● What can be done on a FW with ALGs ?

Hack.L

U 2

00

6

19

IMS services

● IMS = IP Multimedia Subsystem

● Remember when the mobile operators built their WAP and 3G networks ?

– Mostly “open” (aka terminal is trusted)– Even connected with their “internal”/IT network

● IMS services with MVNOs, 3G/4G: overly complex architecture with tons of interfaces

● Large attack surface: registration/tracking servers, application servers, etc

● Firewalling: complex if not impossible

Hack.L

U 2

00

6

20

IMS Future Threats

● FMC: Attack Fixed<->Mobile handover (GSM<->WiFi)

● “Vishing” (VoIP Phishing): risks associated with IVR

● Abusing IN systems

Hack.L

U 2

00

6

21

MSP and IP DSLAM

● Multi-Service Platform aka Carrier Ethernet

● IP/Ethernet DSLAMs

● Remember all the “LAN only” layer 2 attacks ?

● dsniff is not dead ;-)

● VLANs, TCAM, etc.

● Basic IP features DSLAMs

Hack.L

U 2

00

6

22

Conclusion

● Last 5 years : infrastructure security

● Next 5 years : NGN security

● In a couple of years : learn the hard way that NGN needs stable and secure underlying infrastructure