Secure Telephony Enabled Middle-box (STEM)

1
Secure Telephony Enabled Middle-box (STEM)
STEM is proposed as a solution to network
vulnerabilities, targeting the transmitting of
real-time data over enterprise networks.

• Maggie Nguyen

Dr. Mark Stamp SJSU - CS 265 Spring 2003
2
Topics

• IP Telephony Overview
• IP Telephony Components
• IP Telephony Protocols
• How SIP Works
• STEM Architecture
• Architecture Components
• Call Scenarios
• STEM Security Countermeasures
• DoS Attack
• Eavesdropping

3
IP Telephony Components

• Gateways
• Gatekeepers
• IP Telephones
• PC-based Software
• Phones
• MCUs

4
IP Telephony Protocols

• Internet Engineering Task Force (IETF)
• Signaling Session Initiation Protocol (SIP)
• Transport Real Time Protocol (RTP)
• Media Description Session Description Protocol
  (SDP)
• International Telecommunications Union (ITU)
• Signaling H.323
• Codecs G.711 (PCM), G.729,
• ISDN Q.931
• STEM architecture is currently using the network
  required for SIP deployment.

5
How SIP Works SIP Call Setup
The Location Service is being queries to check
that the destination SIP URI represents a valid
registered device, and requests for its IP Address
DNS Server
DNS Query for the IP Address of the SIP Proxy of
the Destination Domain
Location Service
The INVITE is forwarded
4
2
3
A request is sent (SIP INVITE) to ESTABLISH a
session
SIP Proxy
5
The request is forwarded to the End-Device
SIP Proxy
1
SIP IP Phone sipbob_at_cs.sjsu.edu
6
Media Transport
Destination device returns its IP Address to the
originating device and a media connection is
opened
SIP IP Phone sipalice_at_alanta.com
6
How SIP Works SIP Call Sequence
DNS Server
The Location Service is being queries to check
that the destination SIP URI represents a valid
registered device, and requests for its IP Address
DNS Query for the IP Address of the SIP Proxy of
the Destination Domain
Location Service
SIP Proxy
FW SIP INVITE
100 Trying
180 Ringing
200 OK
FW SIP INVITE
ACK
180 Ringing
200 OK
SIP Proxy
SIP INVITE
ACK
100 Trying
180 Ringing
200 OK
ACK
SIP IP Phone sipbob_at_cs.sjsu.edu
Both Way RTP Media
BYE
200 OK
SIP IP Phone sipalice_at_alanta.com
7
STEM Architecture Components

• Security Manager (SM)
• Enhanced Firewall
• Media / Signaling Gateway (M/S Gateway)
• User Terminals

8
STEM Enhanced Firewall

• Pattern Matcher
• Protocol Parser
• Flow Monitor
• Application Gateway
• External Interface

9
Call Scenarios Net-to-Net
10
Call Scenarios Net-to-Phone
11
STEM Security Countermeasures

• Denial of Service
• TCP SYN Floods detected by Flow Monitor.
• SIP INVITE Floods detected by Protocol Parser.
• Malicious RTP Streams detected by Flow Monitor.
• M/S Gateway Voice Port saturation.
• Eavesdropping
• Control Flow STEM uses secured communication
  protocols among SM, firewall, M/S gateways.
• Data Flow STEM replies on application protocols
  (SIP or H.323) to implement payload encryption.

12
References

• International Engineering Consortium. H.323.
• http//www.iec.org/online/tutorials/h323/
• Reynolds, B. Challenges Challenges and Rewards
  in Enterprise Deployments of IP Telephony
  Presentation. http//networks.cs.ucdavis.edu/gho
  sal/Research/Talks/IP-Tel-Netlab20talK20-20rev
  202.ppt
• Reynolds, B. Deploying IP Telephony in an
  Enterprise and the Vulnerabilities that Come With
  It Presentation. http//seclab.cs.ucdavis.edu/sec
  sem2/ReynoldsSeminar.ppt
• Reynolds, B. and D. Ghosal. STEM Secure
  Telephony Enabled Middlebox. IEEE Communications
  Magazine Special Issue on Security in
  Telecommunication Networks. October 2002
• http//www.off-pisteconsulting.com/research/pubs/
  ieee_comm.pdf