Secure Telephony Enabled
Middle-box (STEM)
STEM is proposed as a solution to network vulnerabilities,
targeting the transmitting of real-time data over enterprise networks.
Maggie Nguyen
Dr. Mark Stamp
SJSU - CS 265
Spring 2003
Topics

IP Telephony Overview




STEM Architecture



IP Telephony Components
IP Telephony Protocols
How SIP Works
Architecture Components
Call Scenarios
STEM Security Countermeasures


DoS Attack
Eavesdropping
IP Telephony Components
1.
2.
3.
4.
5.
Gateways
Gatekeepers
IP Telephones
PC-based Software
Phones
MCUs
IP Telephony Protocols

Internet Engineering Task Force (IETF):
 Signaling: Session Initiation Protocol (SIP)



Transport: Real Time Protocol (RTP)
Media Description: Session Description Protocol (SDP)
International Telecommunications Union (ITU):
 Signaling: H.323


Codecs: G.711 (PCM), G.729, …
ISDN: Q.931
STEM architecture is currently using the network required for SIP
deployment.
How SIP Works
– SIP Call Setup
DNS Server
DNS Query for
the IP Address of
the SIP Proxy of
the Destination
Domain
2
The INVITE is
forwarded
The Location Service is
being queries to check that
the destination SIP URI
represents a valid registered
device, and requests for its
IP Address
Location Service
4
3
A request is sent
(SIP INVITE) to
ESTABLISH a
session
1
SIP Proxy
5
The request is forwarded to
the End-Device
SIP Proxy
SIP IP Phone
6
sip:bob@cs.sjsu.edu
Media Transport
SIP IP Phone
sip:alice@alanta.com
Destination device returns
its IP Address to the
originating device and a
media connection is opened
How SIP Works
DNS Server
DNS Query for
the IP Address of
the SIP Proxy of
the Destination
Domain
– SIP Call Sequence
The Location Service is
being queries to check that
the destination SIP URI
represents a valid registered
device, and requests for its
IP Address
Location Service
SIP Proxy
SIP Proxy
SIP IP Phone
sip:bob@cs.sjsu.edu
SIP IP Phone
sip:alice@alanta.com
STEM Architecture Components




Security Manager (SM)
Enhanced Firewall
Media / Signaling Gateway (M/S Gateway)
User Terminals
STEM Enhanced Firewall





Pattern Matcher
Protocol Parser
Flow Monitor
Application Gateway
External Interface
Call Scenarios –
Net-to-Net
Call Scenarios –
Net-to-Phone
STEM Security Countermeasures

Denial of Service





TCP SYN Floods detected by Flow Monitor.
SIP INVITE Floods detected by Protocol Parser.
Malicious RTP Streams detected by Flow Monitor.
M/S Gateway Voice Port saturation.
Eavesdropping


Control Flow: STEM uses secured communication
protocols among SM, firewall, M/S gateways.
Data Flow: STEM replies on application protocols
(SIP or H.323) to implement payload encryption.
References

International Engineering Consortium. H.323.
http://www.iec.org/online/tutorials/h323/

Reynolds, B. Challenges Challenges and Rewards in Enterprise
Deployments of IP Telephony Presentation.
http://networks.cs.ucdavis.edu/~ghosal/Research/Talks/IP-TelNetlab%20talK%20-%20rev%202.ppt

Reynolds, B. Deploying IP Telephony in an Enterprise and the
Vulnerabilities that Come With It Presentation.
http://seclab.cs.ucdavis.edu/secsem2/ReynoldsSeminar.ppt

Reynolds, B. and D. Ghosal. STEM: Secure Telephony Enabled
Middlebox. IEEE Communications Magazine Special Issue on
Security in Telecommunication Networks. October 2002
http://www.off-pisteconsulting.com/research/pubs/ieee_comm.pdf