UNIVERSITY OF PATRAS Department of Electrical Computer Engineering

UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless Telecommunications Laboratory M. Tsagkaropoulos mtsagaro@ece. upatras. gr 47 th FITCE Congress London 2008 “Securing IP Multimedia Subsystem (IMS) infrastructures: protection against attacks ” M. Tsagkaropoulos Dept. Of Electrical and Computer Engineering Wireless Telecommunications Laboratory University of Patras 26500 Greece Email: mtsagaro@ece. upatras. gr “Securing IP Multimedia Subsystem (IMS) infrastructures …, ” M. Tsagkaropoulos

UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless Telecommunications Laboratory M. Tsagkaropoulos mtsagaro@ece. upatras. gr 47 th FITCE Congress London 2008 Agenda q NGN Networks q IMS Architecture q IMS Security Framework q Vulnerabilities in IMS q Security Mechanisms & enhancements q Conclusions “Securing IP Multimedia Subsystem (IMS) infrastructures …, ” M. Tsagkaropoulos

UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless Telecommunications Laboratory M. Tsagkaropoulos mtsagaro@ece. upatras. gr 47 th FITCE Congress London 2008 NGN Vision (1) • Transition to an “All-IP” network infrastructure. • Convergence among network and services. • Support of heterogeneous access technologies (e. g. WLANs, Wi. MAX, x. DSL, etc). • Unified control architecture to manage application and services. “Securing IP Multimedia Subsystem (IMS) infrastructures …, ” M. Tsagkaropoulos

UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless Telecommunications Laboratory M. Tsagkaropoulos mtsagaro@ece. upatras. gr 47 th FITCE Congress London 2008 NGN Vision (2) • Seamless handovers across both homogeneous and heterogeneous wireless technologies. • Mobility, nomadicity and Qo. S support on or above IP layer. • Provisioning of triple-play services creating a service bundle of unifying video, voice and Internet. “Securing IP Multimedia Subsystem (IMS) infrastructures …, ” M. Tsagkaropoulos

UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless Telecommunications Laboratory M. Tsagkaropoulos mtsagaro@ece. upatras. gr 47 th FITCE Congress London 2008 Converged Network Concept Internet Management Control Signalling UMTS/ WCDMA, HSDPA, LTE IP Network AAA Server Farm Policing AP Wi. MAX Application AP WLAN “Securing IP Multimedia Subsystem (IMS) infrastructures …, ” M. Tsagkaropoulos

47 th FITCE Congress London 2008 UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless Telecommunications Laboratory M. Tsagkaropoulos mtsagaro@ece. upatras. gr Convergence Realization • Common service delivery platform on fixed, mobile/wireless, broadcast and IP-based networks • IP Multimedia Subsystem (IMS) – Originally standardized by 3 GPP and 3 GPP 2 in the mobile world – Extended for fixed domain ETSI (TISPAN, NGN), ITU-T “Securing IP Multimedia Subsystem (IMS) infrastructures …, ” M. Tsagkaropoulos

47 th FITCE Congress London 2008 UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless Telecommunications Laboratory M. Tsagkaropoulos mtsagaro@ece. upatras. gr IP Multimedia Subsystem (IMS) • Goal – Access, Security, Mobility, Qo. S, Charging, Service Platform Integration • Extended Functionalities – IMS is the central point of control multiple applications and services – Handling of different user profiles – Service Discovery “Securing IP Multimedia Subsystem (IMS) infrastructures …, ” M. Tsagkaropoulos

47 th FITCE Congress London 2008 IMS Architecture • Signaling Plane – – Proxy Call/Session Control Function Interrogating (I-CSCF) Serving CSCF (S-CSCF) Media Gateway Function • Application Plane – Application Servers • Presence, Instant Messaging – Home Subscriber Subsystems • Media Server “Securing IP Multimedia Subsystem (IMS) infrastructures …, ” M. Tsagkaropoulos UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless Telecommunications Laboratory M. Tsagkaropoulos mtsagaro@ece. upatras. gr

47 th FITCE Congress London 2008 UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless Telecommunications Laboratory M. Tsagkaropoulos mtsagaro@ece. upatras. gr IMS Security Architecture “Securing IP Multimedia Subsystem (IMS) infrastructures …, ” M. Tsagkaropoulos

47 th FITCE Congress London 2008 UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless Telecommunications Laboratory M. Tsagkaropoulos mtsagaro@ece. upatras. gr IMS Vulnerabilities • • Denial of Service SQL Injection Eavesdropping Tearing down sessions Registration hijacking Session hijacking Impersonating a server Man in the middle “Securing IP Multimedia Subsystem (IMS) infrastructures …, ” M. Tsagkaropoulos

47 th FITCE Congress London 2008 UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless Telecommunications Laboratory M. Tsagkaropoulos mtsagaro@ece. upatras. gr IMS Existing Security Plane • Authentication & Key Agreement between IM subscriber and home network • Security Mechanism Agreement between IM client and visited network • Integrity Protection and Confidentiality • Network Domain Security between different Domains (? ) • Existing GPRS/UMTS Access Security “Securing IP Multimedia Subsystem (IMS) infrastructures …, ” M. Tsagkaropoulos

47 th FITCE Congress London 2008 UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless Telecommunications Laboratory M. Tsagkaropoulos mtsagaro@ece. upatras. gr Security Mechanisms • BYE&CANCEL attacks • Eavesdropping • Registration& Session Hijacking • Man-In-the-Middle attacks • SIP Message flooding • SQL Injection “Securing IP Multimedia Subsystem (IMS) infrastructures …, ” M. Tsagkaropoulos IPSec & TLS Authentication &Authorization None IDS

UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless Telecommunications Laboratory M. Tsagkaropoulos mtsagaro@ece. upatras. gr 47 th FITCE Congress London 2008 Proposed Security Architecture Application Servers Farm IMS Core ISC S-CSCF Cx P-CSCF Gm Internet (IP connectivity) HSS Mw Mw I-CSCF IDS SER SIP Server IDS Attack Detection Rules IMS Client (Alice) Blacklist “Securing IP Multimedia Subsystem (IMS) infrastructures …, ” M. Tsagkaropoulos User List

47 th FITCE Congress London 2008 UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless Telecommunications Laboratory M. Tsagkaropoulos mtsagaro@ece. upatras. gr IMS Security Target • Handling Protocol Vulnerabilities • Protection against Attacks • SPAM Handling “Securing IP Multimedia Subsystem (IMS) infrastructures …, ” M. Tsagkaropoulos

UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless Telecommunications Laboratory M. Tsagkaropoulos mtsagaro@ece. upatras. gr 47 th FITCE Congress London 2008 IDS Use Cases P-CSCF Detection IDS Attacks Detection Invite flooding Detection Register Flooding Detection Malformed Msg “Securing IP Multimedia Subsystem (IMS) infrastructures …, ” M. Tsagkaropoulos Detection SQL injection

UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless Telecommunications Laboratory M. Tsagkaropoulos mtsagaro@ece. upatras. gr 47 th FITCE Congress London 2008 Testing Tools • Traffic Generator – SIPp: SIP Traffic generator – Seagull: IMS Traffic Generator • IMS Client – Ericsson Service Development Studio (SDS) – UCT IMS Client • Attacker – Developed C++ Tool for specific attacks • IMS Core – FOKUS’s Open Source IP Multimedia Subsystem (IMS) Core “Securing IP Multimedia Subsystem (IMS) infrastructures …, ” M. Tsagkaropoulos

UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless Telecommunications Laboratory M. Tsagkaropoulos mtsagaro@ece. upatras. gr 47 th FITCE Congress London 2008 IDS Process Delay Number of SIP messages Processing Delay (ms) 10 0, 2 50 3, 8 100 4, 2 “Securing IP Multimedia Subsystem (IMS) infrastructures …, ” M. Tsagkaropoulos

UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless Telecommunications Laboratory M. Tsagkaropoulos mtsagaro@ece. upatras. gr 47 th FITCE Congress London 2008 Future Work • • Extended Functionalities of IDS System Optimize processing load Interaction with deployed services Stand alone implementation at Application Servers • Definition of relationships/dependencies among partners • . . . “Securing IP Multimedia Subsystem (IMS) infrastructures …, ” M. Tsagkaropoulos

UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless Telecommunications Laboratory M. Tsagkaropoulos mtsagaro@ece. upatras. gr 47 th FITCE Congress London 2008 Conclusions • • • IMS Deployment towards NGN vision Identification of IMS vulnerabilities Enhanced IMS security framework Integration of Intrusion Detection System Experimental Testbed Future steps “Securing IP Multimedia Subsystem (IMS) infrastructures …, ” M. Tsagkaropoulos

UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless Telecommunications Laboratory M. Tsagkaropoulos mtsagaro@ece. upatras. gr 47 th FITCE Congress London 2008 Questions “Securing IP Multimedia Subsystem (IMS) infrastructures …, ” M. Tsagkaropoulos

UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless Telecommunications Laboratory M. Tsagkaropoulos mtsagaro@ece. upatras. gr 47 th FITCE Congress London 2008 Thank you for your attention UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless Telecommunication Laboratory Michail Tsagkaropoulos mailto: mtsagaro@ece. upatras. gr http: //www. wltl. ee. upatras. gr/cones “Securing IP Multimedia Subsystem (IMS) infrastructures …, ” M. Tsagkaropoulos