Securing public and IP telephone networks.

摘要

The Signaling System 7 (SS7) is the control network used by public telephones all over the world. Having been designed in an era in which few large telephone companies controlled an entire network, SS7 was designed with no security in mind. Due to telecommunications deregulation, liberalization of economies, and the convergence of telephone, IP, and wireless networks, the number of interfaces to SS7 has increased. New players in the market and numerous entry points between SS7 and other networks have brought many vulnerabilities. Today, anyone capable of introducing messages into the SS7 network can bring down telephone services. As a solution, I propose MTPSec, which is a framework that enforces authentication and custom creates secure channels at the message transfer protocol (MTP3) layer. MTP3 is comparable to the IP layer of the OSI model, and hence this proposal could serve as the IPSec of the telecommunications world. It is shown by simulation that employing MTPSec, adds only 360 museconds to an average call's setup time delays for a domestic telephone call in an average-sized country. This delay is tolerable for the additional security service it provides.; At the interface of SS7 and the IP network, the inter-signaling between the IP and SS7 network can be exploited from either side to disrupt the services provided on the other side. I show how this can be done and propose a solution based on access control, signal screening, and detection of anomalous signaling. To be an effective solution, the latter two methods consider syntactic correctness, semantic validity of the signal content, and appropriateness of a particular signal in the context of earlier exchanged messages.; IP telephony (i.e., Voice over Internet Protocol [VoIP]) shares network resources with regular Internet traffic and therefore is susceptible to the existing security holes of the Internet. Moreover, given that voice communication is time sensitive and uses a suite of interacting protocols, VoIP exposes new forms of vulnerabilities to attacks. I propose a VoIP Intrusion Detection System (vIDS) that uses state machines of network protocols and interactions among them for conducting intrusion detection. This approach is particularly suited for protecting VoIP applications that use many protocols. The experimental results demonstrate that on average the online placement of vIDS induces the additional delay of ≃ 100 ms to call setup time. The average increase of CPU overhead induced by vIDS is only 3.6%.; I also propose and implement a VoIP Flood Detection System (vFDS), which is an online, statistical anomaly detection framework that generates alerts based on abnormal variations in a selected hybrid collection of traffic flows. It views collections of related packet streams as evolving probability distributions and measures abnormal variations in their relationships using the Hellinger distance. Experimental results demonstrated that vFDS is fast and accurate in detecting flooding attacks without noticeably increasing call setup times or introducing jitter into voice streams.