NANOG Abstract

Placing voice traffic on the data network exposes it to the same attacks that plague the existing Internet infrastructure. Traditional perimeter security solutions cannot cope with the complexity of VoIP protocols at carrier-class performance. To be useful and economical for carrier deployments, SIP-based VoIP security solution must process carrier-class call volumes. Equally important, solution elements should scale independently, allowing operators to manage growing demand and manage
costs.

In a unique collaboration between network operator, vendor, and academia, Verizon Labs, CloudShield, and the computer science team at Columbia University have implemented a large-scale SIP-aware application layer firewall (ALG) combined with Denial-of Service detection and mitigation to provide robust protection of SIP-based VoIP infrastructures. The SIP ALG uses a rule-based approach for rate limiting the signaling channel traffic, and the DoS filtering function discriminates legitimate traffic from attack traffic by enforcing threshold and authentication policies. The developed firewall device was found to exceed testing capacity with SIP traffic filtering managing call volumes exceeding 30,000 concurrent calls, and SIP signal processing of up to 300 calls per second.

This presentation will cover the following topics related to this research project
- The challenges for carrier-class VoIP infrastructure protection;
- Details of the scalable SIP-aware ALG
- Details of the SIP filtering solution for detecting and mitigating DoS attacks
- The testing and analysis tool and test bed designed to validate the research
- Performance testing results of the implementation

The net result of this research is that scalable, affordable solutions are possible with commercially available hardware platforms and appropriately architected applications software.

Prof. Henning Schulzrinne received his Ph.D. from the University of Massachusetts in Amherst, Massachusetts. He was a member of technical staff at AT&T Bell Laboratories, Murray Hill and an associate department head at GMD-Fokus (Berlin), before joining the Computer Science and Electrical Engineering departments at Columbia University, New York. He is currently chair of the Department of Computer Science.

Protocols co-developed by him, such as RTP, RTSP and SIP, are now Internet standards, used by almost all Internet telephony and multimedia applications. His research interests include Internet multimedia systems, ubiquitous computing, mobile systems, quality of service, and performance evaluation. He is a Fellow of the IEEE

Gaston Ormazabal is a Distinguished Member of the Technical Staff at Verizon Laboratories. He holds a B.A from Harvard University and M.A., M. Phil., and Ph.D. degrees from Columbia University, all in Physics. While at Columbia he conducted research in particle physics at both the Fermi and Brookhaven National Accelerator Laboratories. Gaston has held positions at Bell Communications Research and was one of the founding members of NYNEX Science and Technology. He is presently responsible for Network Security Systems Integration and Testing, concentrating in areas of VoIP Security Protocols for SIP over FTTP and IP Multimedia Subsystems; and has been also involved in designing a Security Management Infrastructure for the Next Generation Network (NGN).

Dr Ormazabal has previously managed other University Research Programs both at Columbia University (Softswitch technologies) and at the Center for Advanced Technology in Telecommunications (CATT) at Polytechnic University (Intelligent Automation tools for SS7 Quad Interoperability Testing) where he has been a regular featured speaker at the annual CATT Research Day, most recently on “Post 9/11 Security Strategies”. Dr Ormazabal has also been a participant in standards activities in ANSI committees and has nine patents (pending) on VoIP security.

David Helms is a Senior Systems Engineer with CloudShield Technologies, Inc. and has led research efforts in applying deep packet inspection technologies in the areas of content monitoring, network security and traffic control. Prior to coming to CloudShield, Mr. Helms held the position of Director of Product Management for BioNetrix Systems, delivering biometric authentication solutions for computer and network security applications. Mr. Helms background also includes technical leadership roles at CheckPoint Software Technologies and Bay Networks, focused on network and security engineering for the enterprise and security provider markets.

Abstract: Securing SIP: Scalable Mechanisms for Protecting SIP-Based VoIP Systems