February 2003
The "Dangerfield Principle" in Voice over
Packet Systems
BY
JIM THOMAS
Late into a long night fourteen years ago, the e-mail excerpted below was
sent to a key set of guardians of what was to become the Internet:
It�s now 3:45 AM on Wednesday 3 November 1988. I�m tired, so don�t
believe everything that follows...
Apparently, there is a massive attack on Unix systems going on right now.
I have spoken to systems managers at several computers, on both the east &
west coast, and I suspect this may be a system wide problem.
Symptom: hundreds or thousands of jobs start running on a Unix system
bringing response to zero . . .
This virus is spreading very quickly over the Milnet. Within the past
4 hours, I have evidence that it has hit >10 sites across the country, both
Arpanet and Milnet sites. I suspect that well over 50 sites have been hit .
. .
This is how one of the most notorious security incidents of all time
appeared to the experts in its early hours. The attack was the infamous
�RTM� worm, created by Robert Tappan Morris, a student at Cornell
University. The worried author of the e-mail was Cliff Stoll, who was at the
time in the midst of tracking the wily hacker chronicled in �Cuckoo�s Egg.�
His initial estimate of the worm�s impact was later shown to be
significantly understated: it actually brought down 10-20 percent of the
88,000 inter-networked U.S. computers. The bad news was that the RTM worm
exploited several widely-known and long-standing vulnerabilities within the
Unix operating system and associated networking utilities which could have
been exploited to cause much greater damage. Morris raised a plausible
defense that he had no malicious intent in creating the worm and its ill
effects were the result of accidental programming errors. One positive
outcome of this incident was the creation of Computer Emergency Response
Team (now known as the CERT Coordination Center). But why did it take a near
collapse of the network to get people to take security seriously?
Perhaps security suffers from what might be called the �Dangerfield
Principle�: until there is a notorious incident, security gets no respect.
Voice over Packet (VoP) systems are being deployed in an increasing
variety of network settings. It is important that service providers have an
understanding of the potential vulnerabilities -- and what can be done to
address them.
DESIGN CONSIDERATIONS
In his Practical Architectures for Survivable Systems and Networks, Peter
Neumann offers the following quotation from Albert Einstein to begin his
introductory chapter advocating a holistic, system-oriented approach to
improve system survivability: �Make everything as simple as possible, but no
simpler.� He defines survivability as a set of security, reliability,
performance, and other interdependent requirements, which together can be
characterized as an �emergent property -- that is a property that has
meaning primarily in the overall context to which it relates.� Survivability
is not a quality the overall system can simply inherit from its constituent
lower-level components. In telecommunications, survivability equals �carrier
class� -- an emergent property of a telecommunication system that meets
strong benchmarks for reliability, performance, and security.
One of implications that can be drawn from Neumann�s treatise is that
survivable carrier class VoP systems must be designed with an awareness of
vulnerabilities in the legacy voice networking, data networking, and general
computing. The VoP revolution has accelerated a shift from proprietary to
generally-available hardware and underlying software systems. It is
imperative that vendors be closely aligned with CERT and ISA (Internet
Security Alliance) to continuously monitor for new security vulnerabilities.
And it is equally important to understand security safeguards built into
legacy systems. One could argue this goes as far back as Strowger�s first
forays into automated switching. Almon B. Strowger designed his system back
in the 1880�s to circumvent the local manual telephone operator from
channeling all the mortuary business in town to his competitor. How else
would this be characterized than as a denial of service (DoS) attack?
Returning to Neumann�s advocacy of a top-down exploration of these
architectures, three �planes� of communication emerge as candidates for
distinct treatment. First, and perhaps most obvious, is the �bearer plane,�
the actual voice or multimedia bits, which comprise a conversation. Second,
the signaling or �control plane,� is used to send the messages that set up
and take down conversations, and register or deregister the devices capable
of holding conversations. Third, the �network plane� consists of the
equipment that controls network topology and back-office interfaces.
Of the three, the �bearer plane� is perhaps most profoundly affected by
the transition from legacy voice to VoP. In legacy systems, the speech path
is carried from the phone over dedicated physical lines fairly deep into the
network. Since the VoP bearer path is virtual, new possibilities arise for
distant intruders to intercept (block) or eavesdrop (monitor) conversations.
Fortunately, several new design approaches including SRTP, a secure
extension of the Real-time Transport Protocol (RTP), offer practical
encryption of the bearer plane, achieving a level of personal communication
security uncommon in legacy voice networks.
A somewhat counter-intuitive indicator of security in the bearer plane is
Lawful Intercept (LI) or CALEA. Wiretapping is fairly difficult for the �bad
guys� but fairly easy for the �good guys� because physical access to the
wires is fairly difficult outside the telephone office and fairly easy
inside. Providing a LI-compliant bearer plane to a service provider in a
carrier class VoP solution is not trivial. On the one hand, it must allow
authorized agents to gain access to (and possibly decrypt) a bearer stream,
which routes over changing physical paths, in such a way as to be
undetectable by the monitored party. There can be no detectable changes in
end-to-end delay or jitter. On the other hand, the method used to gain LI
access must be secure from exploitation by unauthorized agents.
The signaling plane is sometimes mistakenly thought of as a VoP
invention, but was actually created decades ago. Nortel Networks Security
Architect Matthew Broda describes a pre-historical (1960s) vulnerability
discovered when a plastic whistle contained in boxes of Captain Crunch
cereal emitted the same tone as that which signaled that a long distance
call was toll-free. Because these signaling tones were carried on the same
path as the bearer channel, it created an opportunity for theft of service.
When SS7 systems came into wide use in the 1980s, this class of �blue
box� security vulnerabilities largely disappeared. But with VoP systems,
renewed attention must be placed on the security of the control plane. One
of the key values of VoP is that end user devices can dynamically register
from different physical addresses. The methods used to authenticate these
devices and initiate calls must be rock solid. A promising design approach
for this plane, currently realized in the PacketCable security standard is
to use IPSec to create secure tunnels and use IKE or Kerberos for
negotiating public keys.
Now let�s look at the control plane. Many of the OAM (Operational,
Administration, and Maintenance) interfaces have a legacy of reliance on
�security by obscurity� due to the combination of historically tight
physical access coupled with a relatively small community of knowledgeable
users. Nevertheless, these systems are vulnerable to exploitation through
gifted �social engineers� who exploit weaknesses in the human processes
surrounding security to swipe passwords, access codes, and account
information. As the skill level required to attack VoP systems decreases,
the relatively high reward and low risk of penalty for attacks should cause
administrators to demand increasing use of two-factor authentications.
Passwords should be supplemented with biometrics (e.g., fingerprints,
voiceprints, retinal scans) or token-based public key credentials (single
use time-synchronized keys supplied by small personally retained hardware
devices).
Another cornerstone of security in this plane is intelligent deployment
of firewalls, one-way proxies, and packet filtering to allow for secure
inter-exchange between systems at differing levels of trustworthiness.
Because VoP systems can be comprised of network elements with a much greater
geographic span than legacy systems, it is important to build in secure
methods for remote maintenance, by employing IPSec tunneling, SNMPv3 and
basic CO LAN security. Just because you are running IP does not mean your
traffic should be co-mingled with the public Internet. Since exposures at
this level lead quickly to theft of service, loss of privacy, and the
potential for massive service disruption, human and automated security
systems must be monitored with vigilance.
GAINING RESPECT THE EASY WAY?
Hopefully, this illustrated some of the foresight being applied to
security in VoP architectures. The variety of approaches being used in
different planes of the network show some degree of thoughtfulness and
thorough consideration of risks. In many quarters, �security by obscurity�
is being supplanted by intelligent open standards. The increasing prevalence
of CableLabs PacketCable security specifications in carrier VoP demonstrates
an advantage of convergence in the cross-pollinization of successful design
principles. Security and survivability seem to have an increasing focus in
discussions and proposals between service providers and equipment vendors.
While these positive trends do not diminish the diligence of those who work
daily on security issues, they offer hope to the rest of us that maybe this
time, security is getting some respect.
Jim Thomas is Marketing Team Leader for the Nortel Networks Carrier Voice
over Packet group. Nortel Networks is a leading provider of communications
technology and infrastructure to enable value-added IP data, voice and
multimedia services spanning Wireless Networks, Wireline Networks,
Enterprise Networks, and Optical Networks. For more information, visit
www.nortelnetworks.com.
[ Return
To The February 2003 Table Of Contents ]
|