February 2003

The "Dangerfield Principle" in Voice over Packet Systems

BY JIM THOMAS

Late into a long night fourteen years ago, the e-mail excerpted below was sent to a key set of guardians of what was to become the Internet:

It�s now 3:45 AM on Wednesday 3 November 1988. I�m tired, so don�t believe everything that follows...

Apparently, there is a massive attack on Unix systems going on right now.

I have spoken to systems managers at several computers, on both the east & west coast, and I suspect this may be a system wide problem.

Symptom: hundreds or thousands of jobs start running on a Unix system bringing response to zero . . .

This virus is spreading very quickly over the Milnet. Within the past 4 hours, I have evidence that it has hit >10 sites across the country, both Arpanet and Milnet sites. I suspect that well over 50 sites have been hit . . .

This is how one of the most notorious security incidents of all time appeared to the experts in its early hours. The attack was the infamous �RTM� worm, created by Robert Tappan Morris, a student at Cornell University. The worried author of the e-mail was Cliff Stoll, who was at the time in the midst of tracking the wily hacker chronicled in �Cuckoo�s Egg.� His initial estimate of the worm�s impact was later shown to be significantly understated: it actually brought down 10-20 percent of the 88,000 inter-networked U.S. computers. The bad news was that the RTM worm exploited several widely-known and long-standing vulnerabilities within the Unix operating system and associated networking utilities which could have been exploited to cause much greater damage. Morris raised a plausible defense that he had no malicious intent in creating the worm and its ill effects were the result of accidental programming errors. One positive outcome of this incident was the creation of Computer Emergency Response Team (now known as the CERT Coordination Center). But why did it take a near collapse of the network to get people to take security seriously?

Perhaps security suffers from what might be called the �Dangerfield Principle�: until there is a notorious incident, security gets no respect.

Voice over Packet (VoP) systems are being deployed in an increasing variety of network settings. It is important that service providers have an understanding of the potential vulnerabilities -- and what can be done to address them.

DESIGN CONSIDERATIONS

In his Practical Architectures for Survivable Systems and Networks, Peter Neumann offers the following quotation from Albert Einstein to begin his introductory chapter advocating a holistic, system-oriented approach to improve system survivability: �Make everything as simple as possible, but no simpler.� He defines survivability as a set of security, reliability, performance, and other interdependent requirements, which together can be characterized as an �emergent property -- that is a property that has meaning primarily in the overall context to which it relates.� Survivability is not a quality the overall system can simply inherit from its constituent lower-level components. In telecommunications, survivability equals �carrier class� -- an emergent property of a telecommunication system that meets strong benchmarks for reliability, performance, and security.

One of implications that can be drawn from Neumann�s treatise is that survivable carrier class VoP systems must be designed with an awareness of vulnerabilities in the legacy voice networking, data networking, and general computing. The VoP revolution has accelerated a shift from proprietary to generally-available hardware and underlying software systems. It is imperative that vendors be closely aligned with CERT and ISA (Internet Security Alliance) to continuously monitor for new security vulnerabilities.

And it is equally important to understand security safeguards built into legacy systems. One could argue this goes as far back as Strowger�s first forays into automated switching. Almon B. Strowger designed his system back in the 1880�s to circumvent the local manual telephone operator from channeling all the mortuary business in town to his competitor. How else would this be characterized than as a denial of service (DoS) attack?

Returning to Neumann�s advocacy of a top-down exploration of these architectures, three �planes� of communication emerge as candidates for distinct treatment. First, and perhaps most obvious, is the �bearer plane,� the actual voice or multimedia bits, which comprise a conversation. Second, the signaling or �control plane,� is used to send the messages that set up and take down conversations, and register or deregister the devices capable of holding conversations. Third, the �network plane� consists of the equipment that controls network topology and back-office interfaces.

Of the three, the �bearer plane� is perhaps most profoundly affected by the transition from legacy voice to VoP. In legacy systems, the speech path is carried from the phone over dedicated physical lines fairly deep into the network. Since the VoP bearer path is virtual, new possibilities arise for distant intruders to intercept (block) or eavesdrop (monitor) conversations.

Fortunately, several new design approaches including SRTP, a secure extension of the Real-time Transport Protocol (RTP), offer practical encryption of the bearer plane, achieving a level of personal communication security uncommon in legacy voice networks.

A somewhat counter-intuitive indicator of security in the bearer plane is Lawful Intercept (LI) or CALEA. Wiretapping is fairly difficult for the �bad guys� but fairly easy for the �good guys� because physical access to the wires is fairly difficult outside the telephone office and fairly easy inside. Providing a LI-compliant bearer plane to a service provider in a carrier class VoP solution is not trivial. On the one hand, it must allow authorized agents to gain access to (and possibly decrypt) a bearer stream, which routes over changing physical paths, in such a way as to be undetectable by the monitored party. There can be no detectable changes in end-to-end delay or jitter. On the other hand, the method used to gain LI access must be secure from exploitation by unauthorized agents.

The signaling plane is sometimes mistakenly thought of as a VoP invention, but was actually created decades ago. Nortel Networks Security Architect Matthew Broda describes a pre-historical (1960s) vulnerability discovered when a plastic whistle contained in boxes of Captain Crunch cereal emitted the same tone as that which signaled that a long distance call was toll-free. Because these signaling tones were carried on the same path as the bearer channel, it created an opportunity for theft of service.

When SS7 systems came into wide use in the 1980s, this class of �blue box� security vulnerabilities largely disappeared. But with VoP systems, renewed attention must be placed on the security of the control plane. One of the key values of VoP is that end user devices can dynamically register from different physical addresses. The methods used to authenticate these devices and initiate calls must be rock solid. A promising design approach for this plane, currently realized in the PacketCable security standard is to use IPSec to create secure tunnels and use IKE or Kerberos for negotiating public keys.

Now let�s look at the control plane. Many of the OAM (Operational, Administration, and Maintenance) interfaces have a legacy of reliance on �security by obscurity� due to the combination of historically tight physical access coupled with a relatively small community of knowledgeable users. Nevertheless, these systems are vulnerable to exploitation through gifted �social engineers� who exploit weaknesses in the human processes surrounding security to swipe passwords, access codes, and account information. As the skill level required to attack VoP systems decreases, the relatively high reward and low risk of penalty for attacks should cause administrators to demand increasing use of two-factor authentications. Passwords should be supplemented with biometrics (e.g., fingerprints, voiceprints, retinal scans) or token-based public key credentials (single use time-synchronized keys supplied by small personally retained hardware devices).

Another cornerstone of security in this plane is intelligent deployment of firewalls, one-way proxies, and packet filtering to allow for secure inter-exchange between systems at differing levels of trustworthiness. Because VoP systems can be comprised of network elements with a much greater geographic span than legacy systems, it is important to build in secure methods for remote maintenance, by employing IPSec tunneling, SNMPv3 and basic CO LAN security. Just because you are running IP does not mean your traffic should be co-mingled with the public Internet. Since exposures at this level lead quickly to theft of service, loss of privacy, and the potential for massive service disruption, human and automated security systems must be monitored with vigilance.


GAINING RESPECT THE EASY WAY?

Hopefully, this illustrated some of the foresight being applied to security in VoP architectures. The variety of approaches being used in different planes of the network show some degree of thoughtfulness and thorough consideration of risks. In many quarters, �security by obscurity� is being supplanted by intelligent open standards. The increasing prevalence of CableLabs PacketCable security specifications in carrier VoP demonstrates an advantage of convergence in the cross-pollinization of successful design principles. Security and survivability seem to have an increasing focus in discussions and proposals between service providers and equipment vendors. While these positive trends do not diminish the diligence of those who work daily on security issues, they offer hope to the rest of us that maybe this time, security is getting some respect.

Jim Thomas is Marketing Team Leader for the Nortel Networks Carrier Voice over Packet group. Nortel Networks is a leading provider of communications technology and infrastructure to enable value-added IP data, voice and multimedia services spanning Wireless Networks, Wireline Networks, Enterprise Networks, and Optical Networks. For more information, visit www.nortelnetworks.com.
 

[ Return To The February 2003 Table Of Contents ]