190 likes | 381 Views
IMS and Security. Sri Ramachandran NexTone. Traditional approaches to Security - The “CIA” principle. C onfidentiality Am I communicating with the right system or user? Can another system or user listen in? I ntegrity Have the messages been tampered with? A vailability
E N D
IMS and Security Sri Ramachandran NexTone
Traditional approaches to Security - The “CIA” principle • Confidentiality • Am I communicating with the right system or user? • Can another system or user listen in? • Integrity • Have the messages been tampered with? • Availability • Can the systems that enable the communication service be compromised?
The Demarcation Point – Solution for protecting networks and multiple end systems • Create a trust boundary by using a firewall • Firewalls and NATs use the “Authorization” principle of Confidentiality Untrusted Trusted Private IP Address space Unauthorized stream “The” Network Authorized stream
Solutions for separate control and data streams • FTP, BitTorrent, RTSP, SIP have separate control and data streams • Data streams are ephemeral • Solution: Use Application Layer Gateway (ALG) • Scan control stream for attributes of data stream • 2 approaches to building ALGs • Dedicated purpose • Deep packet inspector/scanner
Characteristics of Session Services • Signaling and media may traverse different networks • Intermediate systems for signaling and media are different • Signaling and media networks may be independently secured • Signaling and media have different quality characteristics • Media is latency, jitter and packet loss sensitive • Reliable delivery of signaling messages is more important than latency and jitter
Denial of Service (DoS) Concepts • Multiple layers: • Layer 3/4 - prevention or stealing of session layer processing • Layer 5: - prevention and/or stealing of application layer processing (prevention of revenue loss) • Theft of service • Unable to honor Service Level Agreement • Resource over-allocation • Resource lock-in
Components of a complete security solution • Ability to create a trust boundary for session services independent of data • Ability to strongly authenticate users and end devices at all session network elements or networks • Ability to encrypt at the trust boundary • Prevent denial of service attacks on service intermediaries • Hardened OS, Intrusion Detection/Prevention • Secure management of network elements • IPSec, HTTPS, SSH • Allow network or flow based correlation and aggregation
Back Office Application Service Delivery/ Session Control Transport Convergence of Services Triple play services Vertically integrated apps Collaboration Internet IPTV VoIP Internet TV Wirelesse Voice Back Office Application Service Delivery/ Session Control Transport Terminals
Back Office Back Office Application Application Service Delivery/ Session Control Service Delivery/ Session Control Transport Transport Network to Service Centric VoIP Collaboration VoIP Internet Presence IPTV IPTV Collaboration
Back Office Back Office Application Application Service Delivery/ Session Control Service Delivery/ Session Control Transport Transport Migration to IMS VoIP VoIP Collaboration Collaboration Presence IPTV Presence IPTV CSCF HSS Wireless Wireline
Triple play services Vertically integrated apps VoIP Collaboration Presence IPTV VoIP Collaboration Collaboration Presence IPTV Internet IPTV VoIP Internet TV Wirelesse Voice Back Office Application Back Office Back Office Back Office CSCF HSS Application Application Application Transport Service Delivery/ Session Control Service Delivery/ Session Control Service Delivery/ Session Control Wireless Wireline Terminals Transport Transport Transport Path to IMS Common Session Control IMS Separate Applications Converged Network
PacketCable Multimedia IMS Elements adopted and enhanced for Cable NAT & Firewall Traversal CableLabs PacketCable 2.0 Reference Architecture Provisioning, Management, Accounting Re-use PacketCable PSTN gateway components IMS Service Delivery Compatible with E-MTAs Different types of clients
Issues with IMS today • Access differentiates IMS flavors • IMS functions and value misunderstood • Bridge from ‘legacy’ to IMS networks mostly underplayed • Ignores Web 2.0 and non-SIP based sessions • Focus on pieces inside ‘walled garden’ – not on interconnecting • Not enough focus on applications
Access Defines IMS Components Visited Network SeGW + UNC P-CSCF + C-BGF WiFi (UMA) Home Network Internet PDG + P-CSCF + C-BGF WiMAX, WiFi IMS Core A-BCF + C-BGF + P-CSCF Internet BB DSL P-CSCF + App Manager + C-BGF BB Cable
Secure Border Function (SBF) • Similar concept to a firewall • Is alongside CSCF network elements • Thwarts DoS/DDoS attacks • Uses established techniques to do firewall/NAT traversal • Adds previously non-existent Rate based Admission Control capabilities
SBF Logical Security Architecture Reporting & Monitoring Alarming & Closed Loop Control Network based Correlation Analytics/ Post-processing Call Admission Control with Authentication/Authorization • Theft of service mitigation • SPAM/SPIT prevention Layer 7 – Application SIP Control with Rate Admission Control • SIP Protocol vulnerabilities • DoS protection Layer 5 – SIP TCP/IP Stack in Operating System Layer 4 – TCP/UDP • Hardened OS • DoS protection Layer 3 - IP Packet Filter Layer 2 - Ethernet Queue/Buffer Management Packet rate mgmt SIGNALING MEDIA
Consolidation of Functions SBF Application SBC-S A-BCF I-BCF Access & Interconnect Session Management PDG PDG SeGW BGF WAP/WAG WAG Edge Access & Interconnectivity WiFi WiMAX UMA BB
Benefits of SBF • Security for both signaling and media • Signaling and media can be disaggregated or integrated • Can be integrated with any signaling or media element to protect it • Consolidates all access types
Thank You! For further comments and discussion: sri@nextone.com www.nextone.com/blog