Report on Secure Telephony Enabled Middle-box (STEM) Maggie Nguyen 04/14/2003 Dr. Mark Stamp - SJSU - CS 265 - Spring 2003 Table of Content 1. Introduction ………………………………………………………………………………… 1 2. IP Telephony Overview …………………………………………………………………….. 1 2.1 Major Components of an IP Telephony System …………………………………………. 1 2.2 Protocol Origin of IP Telephony Protocols …………………………………………….... 2 2.3 How SIP Works ………………………………………………………………………….. 2 3. STEM Architecture …………………………………………………………………………. 3 3.1 Architecture Components ………………………………………………………………… 3 3.2 Call Scenarios …………………………………………………………………………….. 5 4. STEM Countermeasures on Network Vulnerabilities …………………………………….. 7 4.1 Denial of Service ………………………………………………………………………….. 7 4.2 Eavesdropping …………………………………………………………………………….. 8 5. References …………………………………………………………………………………….. 8 Figure List: Figure 1: Major System Components of an IP Telephony Network [1] ………………………... 1 Figure 2: SIP Call Setup [3] ……………………………………………………………………… 2 Figure 3: SIP Call Flow Diagram [2] …………………………………………………………….. 3 Figure 4: STEM Network Components [2] ………………………………………………………. 3 Figure 5: Firewall Architecture Block Diagram [2] ……………………………………………… 4 Figure 6: Incoming Net-to-Net Call Flow [2] ……………………………………………………. 5 Figure 7: Net-to-Phone Call Flow [2] ……………………………………………………………. 611. Introduction STEM architecture is prototyped by Brennen Reynolds and Dipak Ghosal. Its article is published in the IEEE Communication Magazine in October of 2002. STEM is proposed as a solution to network vulnerabilities, targeting the transmitting of real-time data over enterprise networks. The architecture involves a basic SIP-deployed network, mostly used for IP telephony and other dynamic applications. 2. IP Telephony Overview IP Telephony is the technology that enables the delivery of voice signals via the data network, rather than the public switched telephone network (PSTN). The basic steps involve the conversion of the analog voice signal to digital format and compression/translation of the signal into IP packets for transmission over the Internet. The process is reversed at the receiving end. 2.1 Major Components of an IP Telephony System Figure 1: Major System Components of an IP Telephony Network [1] • Gateways: devices that helps with the communication and translation between the end points in different networks. • Gatekeepers: devices to keep track of registered endpoints which are the LAN clients. • IP Telephones and PC-based Software Phones: terminals that are enhanced with functionalities and services for IP Telephony. • MCUs: is an optional component introduced in the H.323 standard. The MCU is required in a centralized multipoint conference where each terminal establishes a point-to-point connection with the MCU.22.2 Protocol Origin of IP Telephony Protocols There are two different architectures that enable the implementation of IP telephony technology. STEM architecture is currently using the network required for SIP deployment. Internet Engineering Task Force (IETF) Signaling: Session Initiation Protocol (SIP) Transport: Real Time Protocol (RTP) Media Description: Session Description Protocol (SDP) International Telecommunications Union (ITU) Signaling: H.323 Codecs: G.711 (PCM), G.729, … ISDN: Q.931 2.3 How SIP Works A typical example of a SIP message exchange is between two users, Alice and Bob. Alice uses her SIP phone to call Bob on his SIP phone over the Internet. Also, there are two SIP proxy servers that act on behalf of Alice and Bob to facilitate the session establishment. Alice "calls" Bob using his SIP identity, a type of Uniform Resource Identifier (URI) called a SIP URI. It has a similar form to an email address, typically containing a username and a host name. Examples: sip:[email protected] and sip:[email protected] Figure 2: SIP Call Setup [3] SIP IP Phone sip:[email protected] SIP IP Phonesip:[email protected] Location ServiceSIP Proxy SIP Proxy DNS Server Media Transport1 2 34 5 6A request is sent (SIP INVITE) to ESTABLISH a session DNS Query for the IP Address of the SIP Proxy of the Destination Domain The INVITE is forwarded The Location Service is being queries to check that the destination SIP URI represents a valid registered device, and requests for its IP Address The request is forwarded to the End-Device Destination device returns its IP Address to the originating device and a media connection is opened3Figure 3: SIP Call Sequence [2] 3. STEM Architecture 3.1 Architecture Components [4] Figure 4: STEM Network Components [2] SIP IP Phone sip:[email protected] SIP IP Phonesip:[email protected] DNS Server SIP Proxy SIP Proxy Location ServiceSIP INVITE DNS Query for the IP Address of the SIP Proxy of the Destination Domain FW: SIP INVITE100 Trying 100 TryingThe Location Service is being queries to check that the destination SIP URI represents a valid registered device, and requests for its IP Address FW: SIP INVITE180 Ringing 180 Ringing180 Ringing 200 OK 200 OK200 OK ACKACKACK Both Way RTP MediaBYE200 OK4Security Manager (SM): • A database mapping between user addresses (SIP URIs) to machine addresses (IP addresses) (This can be implemented by the SIP Location Server) • A call reference database with an entry for each employee. A profile could contain information regarding to incoming call preferences and a list of spam addresses to be blocked. (This can be implemented in the SIP Server or SIP Location Server) • Various threshold levels to be triggered when the network
View Full Document