NANOG Meeting Presentation Abstract

Securing SIP: Scalable Mechanisms for Protecting SIP-Based VoIP Systems
Meeting:	NANOG38
Date / Time:	2006-10-10 9:30am - 9:00am
Room:	St. Louis D-E
Presenters:	Speakers: Somdutt B. Patnaik, Columbia University. Eilon Yardeni, Columbia University. Henning Schulzrinne, Columbia University Prof. Henning Schulzrinne received his Ph.D. from the University of Massachusetts in Amherst, Massachusetts. He was a member of technical staff at AT&T Bell Laboratories, Murray Hill and an associate department head at GMD-Fokus (Berlin), before joining the Computer Science and Electrical Engineering departments at Columbia University, New York. He is currently chair of the Department of Computer Science. Protocols co-developed by him, such as RTP, RTSP and SIP, are now Internet standards, used by almost all Internet telephony and multimedia applications. His research interests include Internet multimedia systems, ubiquitous computing, mobile systems, quality of service, and performance evaluation. He is a Fellow of the IEEE Gaston Ormazabal, Verizon Labs Gaston Ormazabal is a Distinguished Member of the Technical Staff at Verizon Laboratories. He holds a B.A from Harvard University and M.A., M. Phil., and Ph.D. degrees from Columbia University, all in Physics. While at Columbia he conducted research in particle physics at both the Fermi and Brookhaven National Accelerator Laboratories. Gaston has held positions at Bell Communications Research and was one of the founding members of NYNEX Science and Technology. He is presently responsible for Network Security Systems Integration and Testing, concentrating in areas of VoIP Security Protocols for SIP over FTTP and IP Multimedia Subsystems; and has been also involved in designing a Security Management Infrastructure for the Next Generation Network (NGN). Dr Ormazabal has previously managed other University Research Programs both at Columbia University (Softswitch technologies) and at the Center for Advanced Technology in Telecommunications (CATT) at Polytechnic University (Intelligent Automation tools for SS7 Quad Interoperability Testing) where he has been a regular featured speaker at the annual CATT Research Day, most recently on “Post 9/11 Security Strategies”. Dr Ormazabal has also been a participant in standards activities in ANSI committees and has nine patents (pending) on VoIP security. David Helms, CloudShield Technologies David Helms is a Senior Systems Engineer with CloudShield Technologies, Inc. and has led research efforts in applying deep packet inspection technologies in the areas of content monitoring, network security and traffic control. Prior to coming to CloudShield, Mr. Helms held the position of Director of Product Management for BioNetrix Systems, delivering biometric authentication solutions for computer and network security applications. Mr. Helms background also includes technical leadership roles at CheckPoint Software Technologies and Bay Networks, focused on network and security engineering for the enterprise and security provider markets.
Abstract:	lacing voice traffic on the data network exposes it to the same attacks that plague the existing Internet infrastructure. Traditional perimeter security solutions cannot cope with the complexity of VoIP protocols at carrier-class performance. To be useful and economical for carrier deployments, SIP-based VoIP security solution must process carrier-class call volumes. Equally important, solution elements should scale independently, allowing operators to manage growing demand and manage costs. In a unique collaboration between network operator, vendor, and academia, Verizon Labs, CloudShield, and the computer science team at Columbia University have implemented a large-scale SIP-aware application layer firewall (ALG) combined with Denial-of Service detection and mitigation to provide robust protection of SIP-based VoIP infrastructures. The SIP ALG uses a rule-based approach for rate limiting the signaling channel traffic, and the DoS filtering function discriminates legitimate traffic from attack traffic by enforcing threshold and authentication policies. The developed firewall device was found to exceed testing capacity with SIP traffic filtering managing call volumes exceeding 30,000 concurrent calls, and SIP signal processing of up to 300 calls per second. This presentation will cover the following topics related to this research project - The challenges for carrier-class VoIP infrastructure protection; - Details of the scalable SIP-aware ALG - Details of the SIP filtering solution for detecting and mitigating DoS attacks - The testing and analysis tool and test bed designed to validate the research - Performance testing results of the implementation The net result of this research is that scalable, affordable solutions are possible with commercially available hardware platforms and appropriately architected applications software.
Files:	Henning Schulzrinne Presentation(PDF) Securing SIP: Scalable Mechanisms for Protecting SIP-Based VoIP Systems
Sponsors:	None.

Back to NANOG38 agenda.

NANOG38 Abstracts

• Show All

• BGP Multihoming Techniques
  Speakers:
  Philip Smith, Cisco Systems;

• Disaster Recovery & Global Site Load Balancing for Distributed Data Center Applications
  Speakers:
  Zeeshan Naseh, Cisco Systems;

• Avoiding Single Points of Failure and Making Triple Play Work
  Speakers:
  Howard C. BerkowitzNone; .
  

• NANOG Community Meeting
  Moderators:
  Randy BushIIJ; .
  

• TL1 Device Monitoring on the Cheap
  Speakers:
  Rachel K. Bicknell, Emdeon Business Services;

• Multi-Provider Ethernet Service Delivery
  Speakers:
  Ananda Rajagopal, Foundry Networks;

• Peering Dragnet: Examining BGP Routes Received from Peers
  Speakers:
  Tom Scholl, AT&T Labs; Aman Shaikh, AT&T Labs; Nathan PatrickSonic; .
  Richard Steenbergen, nLayer Communications;

• Peering Dragnet: Examining BGP Routes Received from Peers
  Speakers:
  Tom Scholl, AT&T Labs; Aman Shaikh, AT&T Labs; Nathan PatrickSonic; .
  Richard Steenbergen, nLayer Communications;

• Peering Dragnet: Examining BGP Routes Received from Peers
  Speakers:
  Tom Scholl, AT&T Labs; Aman Shaikh, AT&T Labs; Nathan PatrickSonic; .
  Richard Steenbergen, nLayer Communications;

• Peering Dragnet: Examining BGP Routes Received from Peers
  Speakers:
  Tom Scholl, AT&T Labs; Aman Shaikh, AT&T Labs; Nathan PatrickSonic; .
  Richard Steenbergen, nLayer Communications;

• Maximum-Prefix Tripping: The Side Effects of Leaking on the Internet
  Speakers:
  Tom Scholl, AT&T Labs;

• Peering BOF XIII
  Moderators:
  Bill Norton, Equinix, moderator;

• ISP Security
  Moderators:
  Danny McPhersonArbor Networks; .
  Roland DobbinsCisco Systems; .
  

• ISP Security
  Moderators:
  Danny McPhersonArbor Networks; .
  Roland DobbinsCisco Systems; .
  

• PHAS - A Prefix Hijack Alert System
  Speakers:
  Mohit LadUCLA; .
  Lixia ZhangUCLA; .
  Yan ChenColorado State University; .
  Dan MasseyColorado State University; .
  Beichuan ZhangUniversity of Arizona; .
  

• PHAS - A Prefix Hijack Alert System
  Speakers:
  Mohit LadUCLA; .
  Lixia ZhangUCLA; .
  Yan ChenColorado State University; .
  Dan MasseyColorado State University; .
  Beichuan ZhangUniversity of Arizona; .
  

• PHAS - A Prefix Hijack Alert System
  Speakers:
  Mohit LadUCLA; .
  Lixia ZhangUCLA; .
  Yan ChenColorado State University; .
  Dan MasseyColorado State University; .
  Beichuan ZhangUniversity of Arizona; .
  

• PHAS - A Prefix Hijack Alert System
  Speakers:
  Mohit LadUCLA; .
  Lixia ZhangUCLA; .
  Yan ChenColorado State University; .
  Dan MasseyColorado State University; .
  Beichuan ZhangUniversity of Arizona; .
  

• PHAS - A Prefix Hijack Alert System
  Speakers:
  Mohit LadUCLA; .
  Lixia ZhangUCLA; .
  Yan ChenColorado State University; .
  Dan MasseyColorado State University; .
  Beichuan ZhangUniversity of Arizona; .
  

• Securing SIP: Scalable Mechanisms for Protecting SIP-Based VoIP Systems
  Speakers:
  Somdutt B. PatnaikColumbia University; .
  Eilon YardeniColumbia University; .
  Henning Schulzrinne, Columbia University; Gaston Ormazabal, Verizon Labs; David Helms, CloudShield Technologies;

• Securing SIP: Scalable Mechanisms for Protecting SIP-Based VoIP Systems
  Speakers:
  Somdutt B. PatnaikColumbia University; .
  Eilon YardeniColumbia University; .
  Henning Schulzrinne, Columbia University; Gaston Ormazabal, Verizon Labs; David Helms, CloudShield Technologies;

• Securing SIP: Scalable Mechanisms for Protecting SIP-Based VoIP Systems
  Speakers:
  Somdutt B. PatnaikColumbia University; .
  Eilon YardeniColumbia University; .
  Henning Schulzrinne, Columbia University; Gaston Ormazabal, Verizon Labs; David Helms, CloudShield Technologies;

• Securing SIP: Scalable Mechanisms for Protecting SIP-Based VoIP Systems
  Speakers:
  Somdutt B. PatnaikColumbia University; .
  Eilon YardeniColumbia University; .
  Henning Schulzrinne, Columbia University; Gaston Ormazabal, Verizon Labs; David Helms, CloudShield Technologies;

• Securing SIP: Scalable Mechanisms for Protecting SIP-Based VoIP Systems
  Speakers:
  Somdutt B. PatnaikColumbia University; .
  Eilon YardeniColumbia University; .
  Henning Schulzrinne, Columbia University; Gaston Ormazabal, Verizon Labs; David Helms, CloudShield Technologies;

• Research Forum: Revealing Botnet Membership Using DNSBL Counter-Intelligence
  Speakers:
  Nick Feamster, Georgia Tech University; David DagonGeorgia Tech University; .
  

• Research Forum: Revealing Botnet Membership Using DNSBL Counter-Intelligence
  Speakers:
  Nick Feamster, Georgia Tech University; David DagonGeorgia Tech University; .
  

• Research Forum: Analyzing the Impact of Major Social Events on Internet eXchange Traffic
  Speakers:
  Yukiyasu Tarui, Internet Multifeed Co. / JPNAP;

• IPv6 Multihoming
  Speakers:
  Marla AzingerFrontier Communications; .
  

• Panel: Pragmatismv6: a Grown-up, Critical Examination of IPv6
  Moderators:
  Todd Underwood, Renesys Corporation; Panelists:
  Daniel Golding, Tier 1 Research; David Meyer, Cisco, University of Oregon; Jason Schiller, Verizon Business;

• Panel: Pragmatismv6: a Grown-up, Critical Examination of IPv6
  Moderators:
  Todd Underwood, Renesys Corporation; Panelists:
  Daniel Golding, Tier 1 Research; David Meyer, Cisco, University of Oregon; Jason Schiller, Verizon Business;

• Panel: Pragmatismv6: a Grown-up, Critical Examination of IPv6
  Moderators:
  Todd Underwood, Renesys Corporation; Panelists:
  Daniel Golding, Tier 1 Research; David Meyer, Cisco, University of Oregon; Jason Schiller, Verizon Business;

• Panel: Pragmatismv6: a Grown-up, Critical Examination of IPv6
  Moderators:
  Todd Underwood, Renesys Corporation; Panelists:
  Daniel Golding, Tier 1 Research; David Meyer, Cisco, University of Oregon; Jason Schiller, Verizon Business;

• The NetIO Stack in Windows Vista: Functionality and Deploymen
  Speakers:
  Abolade Gbadegesin, Microsoft;

• Serious Progress on X.509 Certification of RIR Resource Allocations
  Speakers:
  Geoff HustonAPNIC; .
  George MichaelsonAPNIC; .
  Randy Bush, IIJ; Rob AusteinISC; .
  

• Serious Progress on X.509 Certification of RIR Resource Allocations
  Speakers:
  Geoff HustonAPNIC; .
  George MichaelsonAPNIC; .
  Randy Bush, IIJ; Rob AusteinISC; .
  

• Serious Progress on X.509 Certification of RIR Resource Allocations
  Speakers:
  Geoff HustonAPNIC; .
  George MichaelsonAPNIC; .
  Randy Bush, IIJ; Rob AusteinISC; .
  

• Serious Progress on X.509 Certification of RIR Resource Allocations
  Speakers:
  Geoff HustonAPNIC; .
  George MichaelsonAPNIC; .
  Randy Bush, IIJ; Rob AusteinISC; .