21
“Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos UNIVERSITY OF PATRAS UNIVERSITY OF PATRAS Department of Electrical & Computer Engineeri Department of Electrical & Computer Engineeri Wireless Telecommunications Laboratory Wireless Telecommunications Laboratory M. Tsagkaropoulos M. Tsagkaropoulos [email protected] [email protected] 47 th FITCE Congress London 2008 Securing IP Multimedia Securing IP Multimedia Subsystem (IMS) Subsystem (IMS) infrastructures: protection infrastructures: protection against attacks against attacks M. Tsagkaropoulos M. Tsagkaropoulos Dept. Of Electrical and Computer Engineering Wireless Telecommunications Laboratory University of Patras Patras 26500 Greece Email: [email protected]

“Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless

Embed Size (px)

Citation preview

Page 1: “Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless

“Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos

UNIVERSITY OF PATRASUNIVERSITY OF PATRASDepartment of Electrical & Computer EngineeringDepartment of Electrical & Computer Engineering

Wireless Telecommunications LaboratoryWireless Telecommunications LaboratoryM. Tsagkaropoulos M. Tsagkaropoulos [email protected]@ece.upatras.gr

47th FITCE CongressLondon 2008

““Securing IP Multimedia Subsystem Securing IP Multimedia Subsystem (IMS) infrastructures: protection (IMS) infrastructures: protection

against attacksagainst attacks ””

M. TsagkaropoulosM. Tsagkaropoulos

Dept. Of Electrical and Computer EngineeringWireless Telecommunications Laboratory

University of PatrasPatras 26500

GreeceEmail: [email protected]

Page 2: “Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless

“Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos

UNIVERSITY OF PATRASUNIVERSITY OF PATRASDepartment of Electrical & Computer EngineeringDepartment of Electrical & Computer Engineering

Wireless Telecommunications LaboratoryWireless Telecommunications LaboratoryM. Tsagkaropoulos M. Tsagkaropoulos [email protected]@ece.upatras.gr

47th FITCE CongressLondon 2008

Agenda

NGN Networks IMS Architecture IMS Security Framework Vulnerabilities in IMS Security Mechanisms & enhancements Conclusions

Page 3: “Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless

“Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos

UNIVERSITY OF PATRASUNIVERSITY OF PATRASDepartment of Electrical & Computer EngineeringDepartment of Electrical & Computer Engineering

Wireless Telecommunications LaboratoryWireless Telecommunications LaboratoryM. Tsagkaropoulos M. Tsagkaropoulos [email protected]@ece.upatras.gr

47th FITCE CongressLondon 2008

NGN Vision (1)

• Transition to an “All-IP” network infrastructure.

• Convergence among network and services.• Support of heterogeneous access

technologies (e.g. WLANs, WiMAX, xDSL, etc).• Unified control architecture to manage

application and services.

Page 4: “Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless

“Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos

UNIVERSITY OF PATRASUNIVERSITY OF PATRASDepartment of Electrical & Computer EngineeringDepartment of Electrical & Computer Engineering

Wireless Telecommunications LaboratoryWireless Telecommunications LaboratoryM. Tsagkaropoulos M. Tsagkaropoulos [email protected]@ece.upatras.gr

47th FITCE CongressLondon 2008

NGN Vision (2)

• Seamless handovers across both homogeneous and heterogeneous wireless technologies.

• Mobility, nomadicity and QoS support on or above IP layer.

• Provisioning of triple-play services creating a service bundle of unifying video,voice and Internet.

Page 5: “Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless

“Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos

UNIVERSITY OF PATRASUNIVERSITY OF PATRASDepartment of Electrical & Computer EngineeringDepartment of Electrical & Computer Engineering

Wireless Telecommunications LaboratoryWireless Telecommunications LaboratoryM. Tsagkaropoulos M. Tsagkaropoulos [email protected]@ece.upatras.gr

47th FITCE CongressLondon 2008

Converged Network ConceptConverged Network Concept

IP Network

ManagementControl Signalling

APWiMAX

UMTS/WCDMA,HSDPA, LTE

AP

WLAN

AAA

Application

Policing

ServerFarm

Internet

Page 6: “Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless

“Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos

UNIVERSITY OF PATRASUNIVERSITY OF PATRASDepartment of Electrical & Computer EngineeringDepartment of Electrical & Computer Engineering

Wireless Telecommunications LaboratoryWireless Telecommunications LaboratoryM. Tsagkaropoulos M. Tsagkaropoulos [email protected]@ece.upatras.gr

47th FITCE CongressLondon 2008

Convergence Realization

• Common service delivery platform on fixed, mobile/wireless, broadcast and IP-based networks

• IP Multimedia Subsystem (IMS)– Originally standardized by 3GPP and 3GPP2 in

the mobile world– Extended for fixed domain ETSI (TISPAN,

NGN), ITU-T

Page 7: “Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless

“Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos

UNIVERSITY OF PATRASUNIVERSITY OF PATRASDepartment of Electrical & Computer EngineeringDepartment of Electrical & Computer Engineering

Wireless Telecommunications LaboratoryWireless Telecommunications LaboratoryM. Tsagkaropoulos M. Tsagkaropoulos [email protected]@ece.upatras.gr

47th FITCE CongressLondon 2008

IP Multimedia Subsystem (IMS)

• Goal– Access, Security, Mobility, QoS, Charging,

Service Platform Integration

• Extended Functionalities – IMS is the central point of control multiple

applications and services – Handling of different user profiles– Service Discovery

Page 8: “Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless

“Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos

UNIVERSITY OF PATRASUNIVERSITY OF PATRASDepartment of Electrical & Computer EngineeringDepartment of Electrical & Computer Engineering

Wireless Telecommunications LaboratoryWireless Telecommunications LaboratoryM. Tsagkaropoulos M. Tsagkaropoulos [email protected]@ece.upatras.gr

47th FITCE CongressLondon 2008

IMS Architecture• Signaling Plane

– Proxy Call/Session Control Function

– Interrogating (I-CSCF)

– Serving CSCF (S-CSCF)

– Media Gateway Function

• Application Plane– Application Servers

• Presence, Instant Messaging

– Home Subscriber Subsystems

• Media Server

Page 9: “Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless

“Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos

UNIVERSITY OF PATRASUNIVERSITY OF PATRASDepartment of Electrical & Computer EngineeringDepartment of Electrical & Computer Engineering

Wireless Telecommunications LaboratoryWireless Telecommunications LaboratoryM. Tsagkaropoulos M. Tsagkaropoulos [email protected]@ece.upatras.gr

47th FITCE CongressLondon 2008

IMS Security Architecture

Page 10: “Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless

“Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos

UNIVERSITY OF PATRASUNIVERSITY OF PATRASDepartment of Electrical & Computer EngineeringDepartment of Electrical & Computer Engineering

Wireless Telecommunications LaboratoryWireless Telecommunications LaboratoryM. Tsagkaropoulos M. Tsagkaropoulos [email protected]@ece.upatras.gr

47th FITCE CongressLondon 2008

IMS Vulnerabilities

• Denial of Service • SQL Injection• Eavesdropping• Tearing down sessions• Registration hijacking• Session hijacking• Impersonating a server• Man in the middle

Page 11: “Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless

“Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos

UNIVERSITY OF PATRASUNIVERSITY OF PATRASDepartment of Electrical & Computer EngineeringDepartment of Electrical & Computer Engineering

Wireless Telecommunications LaboratoryWireless Telecommunications LaboratoryM. Tsagkaropoulos M. Tsagkaropoulos [email protected]@ece.upatras.gr

47th FITCE CongressLondon 2008

IMS Existing Security Plane

• Authentication & Key Agreement between IM subscriber and home network

• Security Mechanism Agreement between IM client and visited network

• Integrity Protection and Confidentiality• Network Domain Security between different

Domains (?)• Existing GPRS/UMTS Access Security

Page 12: “Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless

IDS“Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos

UNIVERSITY OF PATRASUNIVERSITY OF PATRASDepartment of Electrical & Computer EngineeringDepartment of Electrical & Computer Engineering

Wireless Telecommunications LaboratoryWireless Telecommunications LaboratoryM. Tsagkaropoulos M. Tsagkaropoulos [email protected]@ece.upatras.gr

47th FITCE CongressLondon 2008

Security Mechanisms

• BYE&CANCEL attacks• Eavesdropping• Registration& Session

Hijacking• Man-In-the-Middle attacks• SIP Message flooding• SQL Injection

IPSec & TLS

IPSec & TLS

Authentication &AuthorizationAuthentication &AuthorizationNoneNone

Page 13: “Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless

“Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos

UNIVERSITY OF PATRASUNIVERSITY OF PATRASDepartment of Electrical & Computer EngineeringDepartment of Electrical & Computer Engineering

Wireless Telecommunications LaboratoryWireless Telecommunications LaboratoryM. Tsagkaropoulos M. Tsagkaropoulos [email protected]@ece.upatras.gr

47th FITCE CongressLondon 2008

Proposed Security Architecture

P-CSCFS-CSCF

ISC

MwMwHSS

Cx

Gm

IMS Client (Alice)

Application Servers Farm IMS Core

I-CSCFIDSInternet

(IP connectivity)

User ListBlacklist

Attack Detectio

n

SERSIP Server Detection

Rules

IDS

Page 14: “Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless

“Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos

UNIVERSITY OF PATRASUNIVERSITY OF PATRASDepartment of Electrical & Computer EngineeringDepartment of Electrical & Computer Engineering

Wireless Telecommunications LaboratoryWireless Telecommunications LaboratoryM. Tsagkaropoulos M. Tsagkaropoulos [email protected]@ece.upatras.gr

47th FITCE CongressLondon 2008

IMS Security Target

• Handling Protocol Vulnerabilities

• Protection against Attacks

• SPAM Handling

Page 15: “Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless

“Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos

UNIVERSITY OF PATRASUNIVERSITY OF PATRASDepartment of Electrical & Computer EngineeringDepartment of Electrical & Computer Engineering

Wireless Telecommunications LaboratoryWireless Telecommunications LaboratoryM. Tsagkaropoulos M. Tsagkaropoulos [email protected]@ece.upatras.gr

47th FITCE CongressLondon 2008

IDS Use Cases

Detection Register Flooding

Detection Invite

flooding

Detection SQL

injection

Detection Malformed

Msg

IDS

P-CSCF Detection

Attacks Detection

Page 16: “Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless

“Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos

UNIVERSITY OF PATRASUNIVERSITY OF PATRASDepartment of Electrical & Computer EngineeringDepartment of Electrical & Computer Engineering

Wireless Telecommunications LaboratoryWireless Telecommunications LaboratoryM. Tsagkaropoulos M. Tsagkaropoulos [email protected]@ece.upatras.gr

47th FITCE CongressLondon 2008

Testing Tools• Traffic Generator

– SIPp: SIP Traffic generator

– Seagull: IMS Traffic Generator

• IMS Client– Ericsson Service Development Studio (SDS)

– UCT IMS Client

• Attacker– Developed C++ Tool for specific attacks

• IMS Core– FOKUS’s Open Source IP Multimedia Subsystem (IMS) Core

Page 17: “Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless

“Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos

UNIVERSITY OF PATRASUNIVERSITY OF PATRASDepartment of Electrical & Computer EngineeringDepartment of Electrical & Computer Engineering

Wireless Telecommunications LaboratoryWireless Telecommunications LaboratoryM. Tsagkaropoulos M. Tsagkaropoulos [email protected]@ece.upatras.gr

47th FITCE CongressLondon 2008

IDS Process DelayNumber of SIP

messagesProcessing Delay

(ms)

10 0,2

50 3,8

100 4,2

Page 18: “Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless

“Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos

UNIVERSITY OF PATRASUNIVERSITY OF PATRASDepartment of Electrical & Computer EngineeringDepartment of Electrical & Computer Engineering

Wireless Telecommunications LaboratoryWireless Telecommunications LaboratoryM. Tsagkaropoulos M. Tsagkaropoulos [email protected]@ece.upatras.gr

47th FITCE CongressLondon 2008

Future Work

• Extended Functionalities of IDS System• Optimize processing load• Interaction with deployed services• Stand alone implementation at Application

Servers• Definition of relationships/dependencies

among partners• ...

Page 19: “Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless

“Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos

UNIVERSITY OF PATRASUNIVERSITY OF PATRASDepartment of Electrical & Computer EngineeringDepartment of Electrical & Computer Engineering

Wireless Telecommunications LaboratoryWireless Telecommunications LaboratoryM. Tsagkaropoulos M. Tsagkaropoulos [email protected]@ece.upatras.gr

47th FITCE CongressLondon 2008

Conclusions

• IMS Deployment towards NGN vision• Identification of IMS vulnerabilities• Enhanced IMS security framework • Integration of Intrusion Detection System• Experimental Testbed• Future steps

Page 20: “Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless

“Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos

UNIVERSITY OF PATRASUNIVERSITY OF PATRASDepartment of Electrical & Computer EngineeringDepartment of Electrical & Computer Engineering

Wireless Telecommunications LaboratoryWireless Telecommunications LaboratoryM. Tsagkaropoulos M. Tsagkaropoulos [email protected]@ece.upatras.gr

47th FITCE CongressLondon 2008

Questions

Page 21: “Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless

“Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos

UNIVERSITY OF PATRASUNIVERSITY OF PATRASDepartment of Electrical & Computer EngineeringDepartment of Electrical & Computer Engineering

Wireless Telecommunications LaboratoryWireless Telecommunications LaboratoryM. Tsagkaropoulos M. Tsagkaropoulos [email protected]@ece.upatras.gr

47th FITCE CongressLondon 2008

Thank you for your attentionThank you for your attention

UNIVERSITY OF PATRASUNIVERSITY OF PATRASDepartment of Electrical & Computer EngineeringDepartment of Electrical & Computer Engineering

WirelessWireless Telecommunication LaboratoryTelecommunication Laboratory

Michail TsagkaropoulosMichail Tsagkaropoulosmailto: [email protected]

http://www.wltl.ee.upatras.gr/cones