The convergence of telecom networks on IP may have brought about an unprecedented ability to roll out new and flexible services, but it has also brought an increasing number of security risks that require service providers to take proactive steps on many fronts. Now that converged networks carry voice, data, web access and email, something like a denial of service attack can disrupt every service, not just one. Why? Because the protocols used in IP networks are all based on publicly available standards, and detailed information on their operation is available to anyone.
Since IP networks are much more vulnerable to attack than circuit-switched networks, this Telecom Insights guide looks at specific security precautions that telecom service providers need to address, including how to protect e-mail and VoIP services. The trick is making each protective technique appropriate for the service it is protecting.
Telecom network security requires constant vigilance
E-mail security protocols add service provider requirements
Short-circuiting hackers' SIP-based VoIP attacks
|Telecom network security requires constant vigilance
by David B. Jacobs
The variety of security threats faced by telecom providers has increased as they have expanded their offerings beyond circuit switched voice. Telecoms have dealt with service theft for years, but today's threats can be much more damaging than the payphone coin thefts of yesterday.
Threats can take the form of denial of service attempts in which an attacker disrupts operation of the network itself. Since the same converged network carries voice, email and web access, all are blocked by an attack.
The increase in threats is due to two factors:
- IP networks are more vulnerable to attack than circuit switched networks
- Each Internet-based service can be attacked in specific ways. Service providers must employ protective techniques appropriate for each service.
IP network vulnerability
The protocols used in IP networks are all based on publicly available standards. Detailed information on their operation is available to anyone. Security issues and problems are freely discussed on the Internet. Information and software tools for hackers are openly offered.
Network elements such as DHCP servers, DNS servers and routers must be accessible to customer equipment to provide service. Customer access to this equipment makes it possible to try to gain control by methods like guessing administrator passwords.
Even when administrator access is blocked, other techniques like SNMP can be used to gain information about configuration details and revision levels. Network equipment vendors frequently publish notices describing security problems in a specific revision level. Any network element that is not immediately updated following a security notice is therefore vulnerable to attack.
The worldwide nature of the Internet means that threats can come from anywhere -- from Russian hackers collecting ransom from a UK betting firm to stop its denial of service attack to Chinese hackers breaking into U.S. department store systems to steal credit card information. The difficulties of working across national boundaries often make apprehending and prosecuting attackers difficult or impossible.
Of course a variety of Internet services equals a variety of attack possibilities. Each service available via the Internet has attracted attacks. Email brought with it SPAM and phishing. Web access made site sites carrying malware like Trojan horses and key loggers possible.
VoIP theft possibilities
Theft of service from service providers has received less discussion that fraud attempts against end users, but Internet service theft has been a continuing problem. VoIP provides additional theft opportunities.
Modem cloning and modem uncapping are two methods used to steal cable Internet service. Modem cloning makes it possible to access Internet service without paying for it. Uncapping makes it possible to pay for low bandwidth access while utilizing high bandwidth. Detailed instructions and software tools for both are easily found on the web. DSL modems cannot be uncapped, but it is possible to steal service by scanning the network for modems that retain the default administrator username and password.
VoIP offers multiple avenues for fraud and theft of service. A single infected computer within a large enterprise can reveal usernames and passwords for all users. This information can enable an attacker to not only steal VoIP service but also to monitor VoIP traffic.
In a more sophisticated theft, a Miami man was arrested after allegedly operating what appeared to be a legitimate wholesale VoIP provider for two years in which he stole $1 million. He was able to offer low prices because he had hacked into legitimate providers and was routing traffic over their networks.
Defending against fraud
There is no single foolproof method to protect against threats. Telecoms must follow security guidelines carefully:
- Choose passwords carefully and change them often
- Update quickly when vendors release security patches
- Block probes of network elements
- Don't permit user access to administrator interfaces and block SNMP access
- Protect dial up access to console ports with two factor authentication.
Take advantage of security features. For example, the DOCSIS standard for cable modems includes features to make cloning and uncapping more difficult, but many providers have not taken advantage of them.
Monitor network statistics carefully. The wholesale VoIP theft was detected only when the victimized providers reconciled their traffic levels with billing information. Cable providers can detect cloned modems by noticing that the number of IP addresses in use on a link exceeds the number allocated for legitimate users.
Finally, maintain close contact with equipment vendors and industry groups. Monitor Internet discussion forums to remain informed about the latest targets and threat techniques.
|E-mail security protocols add service provider requirements by David B. Jacobs|
Two recently developed protocols, Domain Keys Identified Mail (DKIM) and Sender Policy Framework (SPF), provide tools to protect service providers and their customers from e-mail fraud attempts.
The goal of both protocols is to reduce spam by providing a way for legitimate e-mail senders to provide a clear indication of the actual source of mail. DKIM and SPF provide methods to verify the identity of the sender.
DKIM is specified by RFC 4871 and SPF by RFC 4408. See DKIM.org and the Sender Policy Framework Project Overview for more information. DKIM and SPF can each be used alone, or both protocols can be used together.
The primary goal of both protocols is to eliminate phishing. Using the protocols, anyone sending e-mail, such as a bank, can securely identify mail it sends. Any mail purporting to come from that bank but not using the protocols is clearly fraudulent and can be filtered out by anti-spam products.
DKIM protects against falsification of the "From" address specified in the RFC 2822 message header. This is the source address normally displayed by a receiving e-mail client. Public key encryption is used to sign a hash of the entire mail message, including the source address and the contents of the message.
The receiving server accesses DNS and uses the sender's public key to decode the hash. The receiver computes the hash of the received message and compares it to the decoded hash. If the hashes match, the message did in fact come from the source address indicated. The hash is computed over the entire contents of the mail, so DKIM also guarantees that message contents have not been modified along the way.
SPF addresses the case where the return address in the RFC 2821 SMTP envelope is falsified. A sender implementing SPF creates DNS records specifying the IP addresses of all the systems within the sender domain that legitimately send mail.
The receiver of the mail accesses the DNS entry of the purported sending domain. If the IP address from which the mail came does not match one of the legitimate e-mail senders, the mail did not actually come from the indicated domain.
Ongoing work to stop fraudulent mail
Mechanisms to identify fraudulent mail are not sufficient. Many bulk e-mailers, especially financial institutions, have committed to use one, and in some cases, both protocols. But the protocols will not be immediately universally adopted. Receiving sites must have a way to determine whether the indicated sending domain is using the protocols.
Work is currently underway on Author Signing Practices (ASP). A sender uses ASP to specify in its DNS entry whether DKIM is used and whether it is used on all mail from that sender. Receiving sites check the sender's DNS entry to determine whether mail received from the site should be signed. ASP is defined in draft RFC draft-ietf-dkim-ssp-03.
Similarly, receiving sites determine from the sender's DNS entry whether site is using SPF. If so, the sender has listed the addresses of all of its servers that send mail. If such a list is present, the sender is using SPF, and the receiving server must check that the mail came from one of one of the listed servers.
Service provider requirements
The Financial Services Roundtable, an organization of the nation's largest financial institutions, has pledged to adopt DKIM and SPF by October of this year. When they have done so, customers will expect their service providers to follow suit.
Bringing the benefit of these advances to customers will require service providers to do the following:
- Deploy updated software in both the incoming and outgoing mail paths. In some cases, it may be necessary to upgrade servers or hardware e-mail appliances to cope with increased processing load.
- Work with customers that maintain their own e-mail servers to utilize the new protocols.
- Educate all customers on the capabilities and limitations of the new protocols.
Service providers must upgrade software to implement these protocols to examine received mail. ASP must be added later this year when the standard is finalized. Early adopters have not experienced significant increased load from the additional DNS references, but the incremental processing required by public key encryption may require upgrades to servers or e-mail appliances.
Customer requirements may make it necessary to deploy DKIM and/or SPF for sent mail. If DKIM is required, public key certificates must be obtained and the necessary software added to sign outgoing mail.
Customer e-mail security requirements
Service providers must assist their customers who maintain their own e-mail servers. Customers will need help understanding the requirements, adding the software, and those intending to sign mail with DKIM may need help obtaining a public key certificate.
Both DKIM and SPF are aimed primarily at eliminating phishing. They will not eliminate all spam or eliminate all fraud attempts. Not all legitimate e-mail will use the protocols, so anti-spam products cannot filter out mail that isn't using them.
More confusing, e-mail using the protocols is not necessarily legitimate. Those who send out mail claiming to need help retrieving a large fortune from a foreign bank can use the protocols. Both DKIM and SPF verify the identity of the sender, but say nothing about the content of the message.
DKIM and SPF do not promise to be the ultimate spam solution; they are simply two more tools that can reduce spam and the amount lost due to fraudulent e-mail.
|Short-circuiting hackers' SIP-based VoIP attacks
by David B. Jacobs
Hacker attacks against SIP-based VoIP networks have been rare. But as the use of the protocol grows and extends to other types of multimedia interaction, attacks will become more prevalent and potentially slow the growth of this technology. Service providers must work with standards bodies, equipment suppliers and customers to develop and deploy defenses.
Currently most SIP usage simply provides a less expensive way to link an enterprise's phones to the public switched telephone network (PSTN) or provides an interconnect to an enterprise's remote offices. But as SIP providers interconnect with each other to provide purely digital paths that never touch the PSTN, the danger of hacker attacks is increasing.
Generally, attacks fall into two broad categories:
- Service disruption
- Fraud attempts
Hackers can attempt to disrupt a service provider or an enterprise in ways similar to those used to block access to websites. Denial of service attacks can be carried out by sending thousands of either REGISTER requests or INVITE requests.
SIP end-user clients send a REGISTER request to the domain's Registration Server to announce the IP address to which incoming calls should be directed. The Registration Server must be able to accept commands from outside the enterprise's or service provider's network to enable calls to be directed to a SIP-enabled cell phone. Multiple registrations for a phone number can exist simultaneously so incoming calls can ring a desk phone and cell.
Hackers can flood a Registration Server with thousands of REGISTER requests, and each must be authenticated. Depending on the method used, verification can take a significant level of compute resource. A flood of requests can prevent processing legitimate requests.
The SIP INVITE command signals an incoming call. Since an incoming call can come from anywhere, no authentication is required. INVITE requests come first to the Domain Proxy. The Domain Proxy then accesses the domain's Location Service to find the IP address or addresses currently registered for the called party. A flood of hacker initiated INVITE requests will consume the resources of the Domain Proxy and the Location Service. Possibly more serious, calls that do get through can ring phones throughout the attacked enterprise.
Networks carrying both voice and data VLANs are vulnerable. Hackers publicized how they used freely available network scanning software to compromise a hotel network, gaining access to the hotel's internal corporate network.
Registration hacking is a way to listen in on others' calls. It requires the hacker to gain access to the target's registration authentication credentials. The hacker sends a REGISTER request to the Registration Server. The command directs all calls intended for the targeted recipient to the hacker. Since it is possible to have multiple registrations simultaneously, the call will go to the intended recipient and to the hacker. Use of a secure authentication method protects against this type of threat
Vishing is the voice equivalent of phishing. Instead of email with an imbedded link, the victim receives a phone call from a bank or credit card company. The victim is requested to call a specified number. The recorded message at that number requests account information. Individuals who would not be deceived by phishing have fallen victim to vishing.
Spam over Internet telephony (SPIT) can be even more aggravating than email spam. Infected zombies can be used, just as they are used to generate spam, to increase the volume and camouflage the message source. Both vishing and SPIT could be generated via the PSTN using automated phone equipment, but it would require dialing individual phone calls. Vishing and SPIT messages can be generated by the thousands. Receiving dozens of calls each day advertising drugs or pornography will drive users to switch back to traditional phone service.
Service provider defense measures
Service providers must remain vigilant against security threats or risk losing customers who fall victim to attacks.
The choice of network components is key. Both firewall vendors and Session Border Controller (SBC) vendors claim protection against SIP threats. Firewalls protect against threats carried by the SIP protocol packets themselves. SBCs also correlate session parameters established by the SIP protocol with the RTP data stream. This protects against a type of theft of service in which the SIP protocol specifies a low bandwidth session, but then a high bandwidth stream of RTP packets is sent.
SBCs also filter incoming REGISTER and INVITE requests to protect network components from denial of service attacks. The SBC discards requests that exceed network capacity but recognize and pass through prioritized requests, such as 911 calls. Some SBCs have been enhanced to detect and block SPIT and other types of threats such as viruses carried in SIP headers.
Service providers must monitor and assist in the work of standards bodies as they develop defenses against threats. Service providers must adopt standards as they are developed and insist that enterprise customers adhere to the requirements placed upon them.
Enterprise customers must also be educated about how to address threats beyond the service provider interface. For example, placing a firewall between data and voice VLANs protects against hackers who attempt to gain access to the internal data network.
Viruses and spam have been expensive irritants to email and web users. SIP and VoIP offer attractive targets to hackers. Only vigilance on the part of all interested parties can protect against potentially serious damage from attacks.
About the author
David B. Jacobs of The Jacobs Group has more than 20 years of networking industry experience. He has managed leading-edge software development projects and consulted with Fortune 500 companies, as well as software start-ups.