2. Information
Hosted by:
American Chamber of Commerce Taiwan
Communications Technology Workshop
This presentation is publicly available at:
http://www.slideshare.net/thomasjs
This presentation is published under the
Creative Commons Attribution Share Alike License.
For more information, see http://creativecommons.org/about/licenses/
2
3. Agenda
Introduction Hardware
Basics of telephony Service providers
and networking Integration into network
and telephone system
Skype
Scenarios and examples
SIP protocol
2 hours
30 minutes
3
5. Introduction
Internet Telephony
VoIP – Voice over IP (IP – Internet Protocol)
Pro: more economic
no telephone charge for computer-to-computer calls*
charge of local call for computer-to-telephone call
*) except of charge for network access
Con: more complicated and less reliable
relies on electric power
emergency calls cannot be mapped to location
network: connection interruptions, packet loss
security: easier to trace calls over the Internet
configuration: firewall traversal
5
6. Return of Investment
Accumulated cost over
6 months 140 NTD
60 min calls per day to 120
Germany,
20 days per month 100
CHT 16 NTD/min VoIP 80
CHT
1 €¢/min VoIP
60
Investment for VoIP
40
100,000 NTD
ROI after 5 months, 20
months
after that savings of 0
>18,500 NTD/month 1 2 3 4 5 6
6
7. How does it work?
Network
Computer
Telephone adapter
+ sound card
+ analog telephone
+ headset
+ software
Computer Network transports Telephone adapter
converts voice digital signals as converts digital
into digital data packets. signals into voice.
signals.
7
8. Telephony
PSTN
Public Switched Telephone Network
POTS
Plain Old Telephone Service
ISDN
Integrated Services Digital Network
PBX
Private Branch Exchange
FXO
Foreign Exchange Office
FXS
Foreign Exchange Station
8
10. PBX
PBX = PABX–Private Automatic Branch Exchange
Extensions
Trunk
PSTN FXO FXS
FXO–goes on-hock and off-hook
FXS–provides power, ring signal, dial tone
10
11. Network
Packet-Switching
Clients R Server
R R
R
R
R R R
R
R
R
R–Router
11
12. Layer Concept
Message
SENDER
Delivery tere
d
Regis
Address
Service
Transport
Network
12
13. Protocol Stack
ISO/OSI* Internet Examples
7 Application Application www : HTTP, FTP, DNS
6 Presentation mail : SMTP, POP, IMAP
5 Session p2p : SIP, eD2k, XMPP
4 Transport Transport TCP, UDP, NetBEUI, WAP
3 Network Internet IP, IGMP, ICMP, IPsec, ARP
2 Data Link Network PPP, L2TP, GPRS, ATM, FR
Access**
1 Physical Ethernet, USB, Wi-Fi, ISDN
*) ISO –International Organization for Standardization, OSI –Open Systems Interconnection
**) original TCP/IP model, recently 5-layer model with data link and physical layer 13
14. TCP/IP Packet
TCP-packet header data
source port application data
destination port (HTTP, FTP, SMPT)
IP-packet
header data
source address TCP-packet
destination address
14
16. Network Address Translation
NAT, IP masquerading
Address shortage of IP ver. 4
32 bit => 4 G ~ 4 billion addresses
Address ranges only for private use
class A : 10.x.x.x, class B : 172.16.x.x – 172.31.x.x, class C : 192.168.x.x
Internet gateway (firewall) translates
between private and public addresses.
Firewall rules: Internet
request LAN Internet : allow
response Internet LAN : allow
request Internet LAN : deny
Internet can only connect to the LAN,
NAT
when the LAN had sent a request before.
LAN
16
17. Peer-to-Peer Communication
Peer-to-Peer (P2P)
VoIP, file sharing, instant messaging
VoIP Protocols
two protocols involved: SIP and RTP
SIP - session initiation protocol: signalling, UDP port 5060
RTP - real-time transport protocol: voice communication,
UDP port range 10000-20000
NAT Traversal
- different kinds of NAT: symmetric, asymmetric
- UDP hole punching
- STUN - Simple Traversal of UDP through NATs
necessary when both clients are behind NAT
doesn’t work with symmetric NAT
17
21. Skype
Peer-to-peer Internet telephony (VoIP) network
Software is free, but not open source
Proprietary protocol, traffic encrypted
Founded by the founders of the file sharing application
Kazaa
Acquired by eBay in October 2005
Easy to deploy even behind firewall and NAT
Heavy use of network bandwidth and other resources
Difficult to integrate into organization’s security strategy
21
22. Getting Granular on Skype
2004 – Columbia University, New York, USA
An Analysis of the Skype Peer-to-Peer Internet Telephony
Protocol
http://www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf
Analysis of network structure and traffic
2006 - EADS Corporate Research Center, France
Silver Needle in the Skype
http://www.secdev.org/conf/skype_BHEU06.handout.pdf
Developers of Skype made immense effort to prevent
reverse engineering, i.e. getting an inside view. The Skype
client detects, when it is running within a debugger and
then changes its behavior. Parts of its code are ciphered
and will be decrypted during runtime.
22
23. Problems with Skype
From a network security administrator point of view
Almost everything is obfuscated
Peer to peer architecture
Traffic even when the software is not used
From a system security administrator point of view
Many protections, anti-debugging tricks, ciphered code
A product that works well for free from a company not involved on
Open Source ?!
The Chief Security Officer point of view
Is Skype a backdoor ?
Can I distinguish Skype’s traffic from real data exfiltration ?
Is Skype a risky program for my sensitive business ?
23
24. Conclusion
Good points
Skype was made by clever people
Good use of cryptography
Bad points
Hard to enforce a security policy with Skype
Jams traffic, can’t be distinguished from data exfiltration
Incompatible with traffic monitoring, IDS
Impossible to protect from attacks (which would be obfuscated)
Total blackbox. Lack of transparency.
No way to know if there is/will be a backdoor
Fully trusts anyone who speaks Skype.
24
25. SIP Protocol
SIP – session initiation protocol
- application layer protocol used for Internet telephone calls,
multimedia distribution, and multimedia conferences
- standardized by the Internet Engineering Task Force (IETF)
- open specification: RFC 3261 (like all Internet standards)
SIP - The De-facto VoIP Standard
http://en.wikipedia.org/wiki/SIP_Telephony#SIP_-_The_De-facto__VoIP_Standard
SIP – signalling, UDP port 5060
RTP – real-time transport protocol
voice communication, UDP port range 10000-20000
Codec – audio data compression algorithm for voice
G.729a – 8kbps, G.711 – 64kbps,
G.723 obsolete, superseded by G.726 – 16-40kbps
25
26. VoIP Provider
SIP – open protocol => everyone can offer services for it
VoIP provider is connected to both Internet and PSTN.
Over 2000 SIP VoIP providers
Dialing between providers
e.g. FreeWorldDialup no. 740218 => *393 740218
http://www.sipbroker.com/sipbroker/action/providerWhitePages
Advanced Features
- monthly rate, flat rate
- unlimited local and distance calling
- voicemail, call forwarding, caller ID
- dial-in number with home area code
- direct inward dialing (DID)
- fax receipt with e-mail notification
26
27. VoIP Services
PSTN Internet
IP Telephone
VoIP Provider
Gateway
Computer,
Analog
Telephone Soft Phone &
Headset
1) VoIP call–free
2) dial-out–charged
3) dial-in–charged
27
28. VoIP Hardware
SIP – open protocol => everyone can build devices for it
Router
Analog Telephony Adapter (ATA)
SIP-Phone
Wireless Phone
USB-Devices
Integrated Systems
Large Systems
Hardware bundled by VoIP providers
http://www.voipbuster.com/en/hardware.html
http://www.sipgate.de/voipshop
28
34. Integrated Systems
Multiple analog ports
FXS, FXO
PBX
Firewall
VPN-gateway
WLAN
ISDN
34
35. Large System
Used by VoIP Providers
SIP Proxy Server
T1/E1 Gateway
RTP Resource Server
Session Border Controller
Voice Mail, Auto-Attendant
Application Server
Conference Server
IP Recorder
Billing server
Universal SIP/H.323 Signal
Converter
35
36. IP PBX
Software PBX
Can be installed on standard hardware
from PC to Unix-server
Additional hardware required
connection to POTS (FXO/FXS) or ISDN
Embedded appliances available
Asterisk
popular open source software, another is sipX
Linux distributions: Trixbox, AstLinux, AsteriskNOW
used as basis for embedded appliances
used by leading VoIP providers, e.g. iotum*
*) iotum was named “Cool Vendor” in Enterprise Communications by Gartner in 2007
http://www.asterisk.org
36
37. Asterisk
Analog cards
PCI bus, half or full length
1-8 FXO/FXS interfaces
Digital cards
PRI E1/T1, ISDN
Appliance
IP-PBX embedded in device with
analog interfaces
Developer kits
version ITSPs, OEMs, resellers,
and integrators
37
38. IP-PBX
Software PBX
embedded in robust hardware
mostly based on Asterisk
configurable via web browser
Primary rate interface
23 (T1) or 30 (E1) channels
Multiple extensions
FXS or ISDN
38
39. Application Examples
Integration with PBX
VoIP gateway without PBX
VoIP gateway with PBX connected via FXS
VoIP gateway with PBX connected via FXO
Integration with Network
VoIP gateway as Firewall
VoIP gateway in LAN with private IP address
VoIP gateway in DMZ with private IP address
VoIP gateway in DMZ with public IP address
IP-PBX
SIP only / SIP and Skype
39
43. VoIP Gateway with PBX (FXO)
PSTN Internet
FXO FXO
VoIP
PBX
FXS
FXS
43
44. Application Examples
Integration with PBX
VoIP gateway without PBX
VoIP gateway with PBX connected via FXS
VoIP gateway with PBX connected via FXO
Integration with Network
VoIP gateway as Firewall
VoIP gateway in LAN with private IP address
VoIP gateway in DMZ with private IP address
VoIP gateway in DMZ with public IP address
IP-PBX
SIP only / SIP and Skype
44
45. VoIP Gateway in LAN
VoIP
Provider Internet
STUN
public IP address
NAT FW FW–firewall
VoIP
LAN–local
area
LAN network
private IP address
45
46. VoIP Gateway in DMZ
DMZ–demilitarized zone
Internet
public IP address
VoIP DMZ
FW
NAT
private IP address
LAN
46
47. VoIP Gateway with public IP
Internet
public IP address
FW outer firewall
VoIP
DMZ inner firewall
FW
private IP address NAT
LAN
47
48. Application Examples
Integration with PBX
VoIP gateway without PBX
VoIP gateway with PBX connected via FXS
VoIP gateway with PBX connected via FXO
Integration with Network
VoIP gateway as Firewall
VoIP gateway in LAN with private IP address
VoIP gateway in DMZ with private IP address
VoIP gateway in DMZ with public IP address
IP-PBX
SIP only / SIP and Skype
48
49. IP-PBX
PSTN Internet
FW
FXO
FXS LAN
analog
telephone digital (IP)
IP-PBX telephone
49
50. SIP and Skype
PSTN Internet
VoIP
FXO
FXS
PBX FXS
FXS
LAN
PC, FXS-card,
Skype software
50
51. VoIP Scenarios
Transfer call between two VoIP Providers
dial via caller’s VoIP provider
transfer call to company’s VoIP provider
transfer call to company’s internal extension
Transfer incoming call to teleworker
teleworker is registered to company’s PBX (no provider)
customer calls in via PSTN
company’s operator transfers call to teleworker*
Setup multi-location corporate infrastructure
headquarter serve as central registrar (no provider)
branch offices register to headquarter
*) http://en.wikipedia.org/wiki/Teleworker
51
52. Two VoIP Providers
VoIP provider A
PSTN Internet
VoIP provider B
FXO
VoIP
PBX Caller
FXS
FXS
Operator Extension
52
53. Teleworker
PSTN Internet
Teleworker
Wi-Fi
FXO FXO
VoIP
PBX
Mobile Worker
Customer FXS
Operator
53
54. Corporate Infrastructure
Factory
PSTN Internet
FXO FXO
VoIP
PBX
Sales Office
Customer FXS
54