Hank Kluepfel, CPP01-973-543-7064

henry.m.kluepfel@saic.com

Sept 10-11, 2001Sept 10-11, 2001Workshop:Workshop:

Mitigating the Vulnerability of Critical Mitigating the Vulnerability of Critical Infrastructures to Catastrophic FailuresInfrastructures to Catastrophic Failures

Security of Next Generation Security of Next Generation Networks: When Best Effort is not Networks: When Best Effort is not enoughenough

2

My BackgroundMy Background

First case prosecuted under US Computer Crime Law First Defense-In-Depth Quality Program on Security Design

and Management:• Assess Current Environments e.g., multidiscipline audits• Close Known Holes e.g., awareness, patches & reporting• Architect Security Into standards, requirements, systems & R&D• Deploy a network element border firewall

First Information Sharing & Leadership• Domestic -NSTAC Network Security Panel –1990• International - IEEE International Carnahan Conference Papers

First to be sued in the line of duty, first to be dismissed for wrongful litigation

Authored First SS7 (CCITT #7) Security Best Practice – ATIS Security Base Guideline for Interconnected SS7

First to Chair an NRIC Focus Subgroup on Security

Traditional Threat TreeTraditional Threat Tree

Threat

UnintentionalNatural Errors, Omissions Intentional

Outsider

•software bugs•system overloads•hardware failures•poorly trained administrators•errors and accidents•uniformed, unmotivated and/or

incompetent custodians

•fires•floods•earthquakes•hurricanes•extreme heat•extreme cold

Insider•Dishonest or disgruntled employee, partner, outsource employee or contract employee

•Hacker/Phreaker•spy•fraudster•disgruntled former employee

Exploitable Vulnerabilities•buffer overflows•Insecure defaults

4

Telecom Incident’s At A Glance:Telecom Incident’s At A Glance: High Tech Telecom Hacks Linked to Organized Crime High Tech Theft Strong Arm Burglaries of Central Offices Burglary of Central Offices and Centers Sophisticated Theft of Services Unindicted Co-Conspirators Often On Payroll of Carriers Theft of Intellectual Property & Privacy Sophisticated Fraud through network manipulation Law Enforcement Operations Targeted Internet Economy Enabled Hacking Vulnerable Operations: If its isn’t in the release and administration neutral, its

not patched or managed Virtually every case found by accident or error

5

High

Low

1980 1985 1990 1995 2000

password guessing

self-replicating code

password cracking

exploiting known vulnerabilities

disabling audits

back doors

hijacking sessions

scanners/sweepers

sniffers

packet spoofing

GUI automated probes

denial of service

SONET /SDHbackbone attacks

Tools & Techniques

Threat

Skills &Knowledge

Sophistication

“stealth” / advanced scanning techniques

burglaries

network mgmt. diagnostics

network element Trojans

PAD to PAD

Y2K enabled hacking

Decreasing Barriers to Intrusion:It just gets easier!

Sources: •CERT® Coordination Center•Network Reliability and Interoperability Council

Distributed denial of service /advanced virus /worm techniques

Baseline Reference: Telecommunications Risk Assessment NSTAC, June ‘99

Wireless Hack-in-a-box e.g., AirSnort aimed at WEP/802.11bhttp://www.wired.com/news/print/0,1294,46187,00.html

6

Cross Elastic Converged Network attacks:Cross Elastic Converged Network attacks:

Use worm to gain control of 104 - 106 zombies

Anonymizer

Thousands of targets

Zombies(20-90 K observed during CodeRed)

Reflectors

Source: Stuart Staniford, O. Sami Saydjari & Ken Williams

7

Code Red WormCode Red Worm

Affecting IIS web server software and propagating to other selected IP addresses through Port80 (http) connectivity

Evolution and impact of worm inevitable– Exploit trust relationships – Multiple Operating Systems– Code Posted on the Internet by White hat hackers– Now targeting local hosts first causing network congestion– More hidden elements e.g., backdoor Trojan Horse for POST IIS

Patch Access Relevance to NGN

– At least three major providers of NGN products impacted– Access and management systems impacted– Other NGN aspects (e.g., Network OAM&P) ripe for potential

exploitation

8

Network Convergence Dream:Network Convergence Dream:Merging the Voice and Data WorldsMerging the Voice and Data Worlds

Circuit Switching TDM transport High reliability

(Five9’s) Limited

programmability Time sensitive billing Slow service set-up Dumb phones Telephony services IN Services

• Packet Switching• Intelligence at “edge”• Lower reliability &

security• Innovation in PC and

enterprise applications• Flat rate or bandwidth

pricing• Hard to achieve quality• Smart PCs

• Single infrastructure• Packet Switching• Intelligence

distributed/collaborative• Best Effort reliability,

security & QoS• Innovative business to

business applications• High value service

bundles• Steep learning curve on

security

9

Telcordia’s Call Agent Telcordia’s Call Agent ArchitectureArchitecture

ServiceServiceExecutionExecution

AnnouncementServer

AnnouncementServer

TCAP/SS7ISUP/SS7

MGCP MGCP

SS7SS7GatewayGateway

PublicSignalingNetwork

ISCPISCPISCPISCPCustomerCustomerCare &Care &BillingBilling

NetworkNetworkOSSsOSSs

MG

CP

ServiceServiceDefinitionDefinition

APICustomer

TelCoServiceApplets

- Service Definition- Billing- Provisioning

GUI JAVA

TrunkingGateway

BackboneNetwork

Res Hub

Voice/IP

Voice/IP

PSTNVoice/IP/ATMSONET/SDH

Call AgentExchange

Link

HFCADSLWLL

10

Lucent TechnologiesOpen Service Creation & Internetworking

Lucent Gateway 1000™

Cisco 5300™

Ascend MAX6000™

Lucent PacketVoice Gateway

Lucent 5ESS

Service Provider Servlet

User Feature Applet

H.323V2Device Server

SS7Device Server

Call CoordinatorCall Coordinator

DirectoryCoordinator

H.323v1Device Server SS7 Gateway

Device Servers

IP Databases PSTN Databases

PacketStar IP Services Platform

11

Network Connectivity

Protocols: TCP/IP, TL1

File Systems, DBMS

OS, Sys. Lib., Drivers

Middleware

Appl 1 Appl 2 Appl n

F1

Fn

F1

Fn

F1

Fn

Network Connectivity

Protocols: TCP/IP, TL1

File Systems, DBMS

OS, Sys. Lib., Drivers

Middleware

Appl 1 Appl 2 Appl n

F1

Fn

F1

Fn

F1

Fn

Security issues are suspect at every layer of the infrastructure ...

Hardware Platforms Hardware Platforms

Interconnecting Networks

User Interface device/ system

User Interface device/ system

12

Common Problems Common Problems Vulnerabilities & ErrorsVulnerabilities & Errors

Policies and standards driven by known exploits rather than integral with evolving technology and services

Unencrypted Login Sessions over vulnerable networking coupled with Reusable Passwords

Poor access controls Search for Holes in Protocols Outdated Physical Security Uncontrolled networking Inadequate documentation Insecure System Defaults Weak Auditing & Reporting

CriticalInfrastructure

Resources

13

Network Convergence Nightmare:Network Convergence Nightmare:VoIP Service Attacks demonstrated VoIP Service Attacks demonstrated

Denial of service through buffer overflows against IP phones and gatekeepers (Root cause: Relevant Standards are ill-defined on security policy and expected behavior)

Modifying user registration to re-direct callsUnauthorized monitoring of RTP call flowsMan-in-the-Middle (H323) proxy modification of signaling & content

Brute force account password attacks on management interfaces

Local network sniffing of account passwords and software updates (configuration and feature changes)

Source: Utz Roedig paper, Darmstadt University of Technology http://www.aravox.com/literature/aravox_security_analysis_ip_telephony.pdf

Today’s Business Case Today’s Business Case for Securityfor Security

Vision/Strategy

Board ofDirectors

SeniorManagement

SecurityProgram

Assets

RiskAnalysis

BusinessCase

Incidents/Accidents

SecurityRequirements

VulnerabilityA

nalysis

Security Investments

Inve

stm

ent R

eque

sts

Motivations

• Shareholder/Stake-holder Value Added

• Capital Markets Perception

• Regulations/ Ordinances

• Securities Rules and Regulations Compliance

• Assurance/Insurance• Competitive

Advantage• Intangibles• Media

Organizational Response:

Prevention/ Mitigation

Source: www.ncs.gov (off line due to CODE RED WORM)

15

Factors influencing platform selections Factors influencing platform selections by Service Providersby Service Providers

Assure security in the initial architecture Stick with standards and avoid proprietary

security algorithms Focus on Authentication, Authorization,

Accounting Protect SS7 to IP interconnects Invite customers to test security of beta

products Set defaults to ‘secure’ on new elements

Source: Verizon paper, Converged Networks & Security; NSTAC R&D Exchange, Telecommunications and Information Security Workshop 2000

16

Related Security Standards and Best Practices Related Security Standards and Best Practices ForaFora

Secure Tunneling - e.g., IPSec Packet cable security specification Common Criteria switch profile ITU H235 SNMP security ATM Forum security specification T1S1 SS7 security standard based on the Generic Upper

Layer Security (GULS) functions described in 'Information Technology - Open Systems Interconnection Upper Layers Security Model', ISO/IEC IS 10745, June 1993. IETF efforts on control protocols (e.g., SIP)

Network Reliability and Interoperability Council (NRIC) V Others Candidates that we might help develop?

17

Targeting Interoperability and QualityTargeting Interoperability and QualityUse of security standards that can address GW-GW, inter-system and end-to-end interactions

Address signaling security, NGN and PSTN interfaceUse security tunneling designed for IPv4 & IPv6Adopt ATM Forum security specification that addresses multiple planes

Support intersystem negotiation of security parametersLeverage common security services and supporting infrastructure (e.g., Directories, DNS)

Extending security baseline requirements defined for PSTN - e.g., Telcordia GR-815 Update (Available for Comment)

Leveraging industry best practices - e.g., IPSec / VPNsAdopting common Internet firewall approachUse industry best practices & interoperability testing

18

Security of Telecom Network ElementsSecurity of Telecom Network ElementsCurrent GR-815-CORECurrent GR-815-CORE

First Published in 1989, updated in 1997 Procurements Specified by RBOCS and other

LECs Accepted as “de facto standard” for Telecom

NEs by all major suppliers and service operators From ~20% to Over ~95% compliance ‘90-’95 Model for NIST Common Criteria Telecom

Switching Profile Model for ATIS SS7 Base Security Guideline

19

Summary & CommentarySummary & Commentary

Next Generation Networks– More open and connected– More complex, distributed– More Interdependencies– Growing Vulnerabilities– Increasing standards of Due Care– Increased focus on standards– Less interoperable solutions

apparent– Great need for consensus on

standards and best practices An excellent opportunity for

CIPSource: Mike Thompson, Detroit Free Press

Questions: Hank Kluepfel, CPP01-973-543-7064

henry.m.kluepfel@saic.com