This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
As SIP continues to seep into the mainstream, more attention is being paid to security issues, especially in public IP networks/the Internet. At VoiceCon Orlando in March, we're bringing back Cullen Jennings and Eric Rescorla to once again give their "SIP Security" tutorial, which offers enterprises a jump on many of the key issues. And, via VOIPSA, I've discovered a trove of SIP-related and other Internet security presentations from the most recent ETSI Security Workshop (click on the Agenda link for the topics of each presentation).
As SIP continues to seep into the mainstream, more attention is being paid to security issues, especially in public IP networks/the Internet. At VoiceCon Orlando in March, we're bringing back Cullen Jennings and Eric Rescorla to once again give their "SIP Security" tutorial, which offers enterprises a jump on many of the key issues. And, via VOIPSA, I've discovered a trove of SIP-related and other Internet security presentations from the most recent ETSI Security Workshop (click on the Agenda link for the topics of each presentation).Some of the topics of particular interest to the enterprise include the following (note: all are in PDF):
Lawful Intercept: This presentation focuses on the particular challenge that service providers will face as P2P SIP traffic proliferates on the network, and discusses how these providers might try to deal with the issue. The presentation shows the challenge of trying to monitor incoming calls to a particular person of interest, by noting that, with P2PSIP, "For the same callee the first signalling hop may be different with every call," and "After call-setup, all signalling can go directly peer-to-peer." In other words, trying to monitor the network infrastructure may be futile.
One possible solution is mentioned by the presenter, Jan Seedorf of NEC Laboratories Europe: Camp out as a peer on the network and try to sniff out troublemakers, the way the RIAA does with illegal music downloading. Seedorf goes on to explain why this is way more complicated with P2PSIP.
Incidentally, Seedorf mentions the IETF's P2PSIP Working Group, and we're fortunate to have another returning champion coming back to VoiceCon, David Bryan, who chairs that IETF WG and also delivers our Monday morning SIP tutorial and will host a session on P2PSIP on Wednesday.
Denial of Service and other attacks: This presentation, by Dr. Dorgham Sisalem, Director Strategic Architecture at Tekelec, points out that:
- "Anything that applies to any device connected to the Internet applies to SIP
- Software bugs can be misused for buffer overflow attacks
- Bad implementation can lead to system crashes and security hole
- Anything that applies to Web and mail applies to SIP
- Flooding attacks
- TCP SYN attacks
- DNS misuse
- Cross site scripting"
I found this presentation particularly interesting because it calls attention to the fact that, once service providers start getting involved in end-to-end VOIP/SIP, there is the potential for all kinds of unintended consequences. As just one example, Dr. Sisalem notes that it's an ISP practice to change IP addresses of their users every 24 hours--which means that when all those devices re-register, you have a potential unintended DoS attack unleashed.
It's also worth noting one of Dr. Disalem's conclusions in particular--asking, "SPIT, SPIM, VoIP DoS: Hype or Reality?" the answer given is, "Today Hype, Tomorrow Reality." That jibes with everything else we've been hearing.
SPIT/Unsolicited Communications--The presentation on "Unsolicited Communication/SPIT/multimedia-SPAM," by Thilo Ewald, also of NEC Laboratories Europe, touches on the set of issues that I discussed in this earlier post. The presentation has an excellent slide that summarizes the various drafts now in the IETF to deal with SPIT.
(If you check out this presentation, keep in mind that "UC" in this context stands for Unsolicited Communications, not Unified Communications." It made me go, "Huh?" a few times.)
The last 2 of these presentations have some product-specific information at the end, but in a way I find that somewhat encouraging. The technical discussions throughout are objective, sophisticated and useful, and it's kind of good to know that some folks are working to "productize" the solution to these cutting-edge security challenges.