IDPS for IMS and VoIP services
Μουράτος, Γεώργιος Ι.
SubjectComputer network protocols ; Wireless communication systems ; Internet telephony -- Security measures ; Computer networks -- Security measures
The multimedia services provided through the internet have become an inseparable fact in people's life. In addition, the development of the technology has given the opportunity for such services through mobile devices and handheld devices. This is achieved with the deployment of the IMS. The high resource demanding services that the IMS provides such as video conferences, audio calls, applications, IP television and many more, must be streamed with high Quality of Service (QoS). Considering QoS, these infrastructures are employing a lightweight signaling protocol; SIP. This text based protocol is flexible enough to easily incorporate and provide different services. It is also a low resource demanding protocol without burdening the infrastructure with further delays during the session establishment handshakes. These advantages also have an inevitable drawback; there are many security vulnerabilities that can be exploited by malicious internal or external users in order to degrade the QoS causing Denial of Service (DoS), intercept the communication sessions, steal user's identities and credentials, utilizing different techniques. Moreover, the attacker can utilize techniques form the lower layers of the internet protocol stack in order to threaten SIP services. For instance, IP spoofing or Address Resolution Protocol (ARP) poising can be first step for an attacker in order to be able to manipulate a SIP request. Every architecture that utilizes SIP as signaling protocol is susceptible to such behaviors. Many scientific works pinpoint these vulnerabilities. In VoIP and IMS environments are deployed different security protocols hardening the defense against the above mentioned behaviors. For instance, in IMS it can be utilized the Authentication and Key Agreement (AKA) with IPsec, or the SIP Digest with TLS. These protocols provide authentication, confidentiality and integrity services to the communication. Also the SIP Digest can be utilized for low resource enabled devices but it provides only authentication support to SIP messages. Nevertheless, these mechanisms can prevent the most of the attacks that originated by external users but they cannot effectively discourage malicious subscribers to launch flooding or SIP signaling attacks through their security tunnels. Many researchers have presented scientific works towards the detection of such security incidents but the most of them cover only a minority of the attacks, or stay only in detection without being unable to prevent them or even they utilize heavy weight protocols such as Public Key Infrastructures (PKIs) with a tradeoff between security and the introduced delay. Also, other solutions such as Transport layer Security (TLS) and (Secure Multipurpose Internet Mail Extensions) (S/MIME) cannot deter internal flooding and signaling attacks and on top of that, they introduce large amount of overhead while the throughput can be 17 times greater (in the worst case scenario) without utilizing TLS. In this paper we present, to the best of our knowledge the most comprehensive and thorough cross layer mechanism that is able to detect and deter most of the attacks that can be launched against environments which use the SIP.