Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
IMS and Security Sri Ramachandran NexTone Traditional approaches to Security - The “CIA” principle Confidentiality Am I communicating with the right system or user? Can another system or user listen in? Integrity Have the messages been tampered with? Availability Can the systems that enable the communication service be compromised? CONFIDENTIAL © 2006, NexTone Communications. All rights 2 The Demarcation Point – Solution for protecting networks and multiple end systems Create a trust boundary by using a firewall Firewalls and NATs use the “Authorization” principle of Confidentiality Trusted Private IP Address space Untrusted Unauthorized stream “The” Network Authorized stream CONFIDENTIAL © 2006, NexTone Communications. All rights 3 Solutions for separate control and data streams FTP, BitTorrent, RTSP, SIP have separate control and data streams Data streams are ephemeral Solution: Use Application Layer Gateway (ALG) Scan control stream for attributes of data stream 2 approaches to building ALGs Dedicated purpose Deep packet inspector/scanner CONFIDENTIAL © 2006, NexTone Communications. All rights 4 Characteristics of Session Services Signaling and media may traverse different networks Intermediate systems for signaling and media are different Signaling and media networks may be independently secured Signaling and media have different quality characteristics Media is latency, jitter and packet loss sensitive Reliable delivery of signaling messages is more important than latency and jitter CONFIDENTIAL © 2006, NexTone Communications. All rights 5 Denial of Service (DoS) Concepts Multiple layers: Layer 3/4 - prevention or stealing of session layer processing Layer 5: - prevention and/or stealing of application layer processing (prevention of revenue loss) Theft of service Unable to honor Service Level Agreement Resource over-allocation Resource lock-in CONFIDENTIAL © 2006, NexTone Communications. All rights 6 Components of a complete security solution Ability to create a trust boundary for session services independent of data Ability to strongly authenticate users and end devices at all session network elements or networks Ability to encrypt at the trust boundary Prevent denial of service attacks on service intermediaries Hardened OS, Intrusion Detection/Prevention Secure management of network elements IPSec, HTTPS, SSH Allow network or flow based correlation and aggregation CONFIDENTIAL © 2006, NexTone Communications. All rights 7 Convergence of Services Back Office Collaboration IPTV VoIP Back Office Application Application Service Delivery/ Session Control Service Delivery/ Session Control Transport Internet Triple play services Wirelesse TV Internet Voice Vertically integrated apps Transport Terminals CONFIDENTIAL © 2006, NexTone Communications. All rights 8 Back Office Application Service Delivery/ Session Control Service Delivery/ Session Control CONFIDENTIAL © 2006, NexTone Communications. All rights Collaboration IPTV Back Office Application Transport Presence VoIP Collaboration IPTV Internet VoIP Network to Service Centric Transport 9 Back Office Collaboration IPTV Presence VoIP Collaboration IPTV Presence VoIP Migration to IMS Back Office Application Application Service Delivery/ Session Control Service Delivery/ Session Control CSCF Transport Transport Wireline CONFIDENTIAL © 2006, NexTone Communications. All rights HSS Wireless 10 Back Office Application Collaboration IPTV Presence VoIP Collaboration IPTV Back Office Back Office Back Office Application Application Service Delivery/ Session Control Transport Presence IPTV Internet VoIP Wirelesse TV Internet Voice Triple play services Vertically integrated apps VoIP Collaboration Path to IMS Transport Service Delivery/ Session Control Transport Application CSCF HSS Service Delivery/ Session Control Transport Wireline Wireless Terminals Separate Applications Converged Network CONFIDENTIAL © 2006, NexTone Communications. All rights Common Session Control IMS 11 CableLabs PacketCable 2.0 Reference Architecture Peer Network Interconnect DHCP Time Operational Support Systems ENUM PAC NMS & EMS CDF PSTN Core PSTN GW SG SLF Application Presence Server HSS Application Server MG I-CSCF S-CSCF Policy Server PacketCable Multimedia PacketCable Multimedia Edge TURN Server P-CSCF STUN Server PacketCable Application Manager Access Network CMTS DOCSIS NAT & Firewall Traversal IMS Service Delivery BGCF MGC CMS Compatible with E-MTAs Provisioning, Management, Accounting Media Proxy PacketCable 1.5 Endpoints Re-use PacketCable PSTN gateway components Border Element Interconnect Proxy DNS 1.5 E-MTA Cable Modem Cable Modem Different UE UE types of CONFIDENTIAL clients © 2006, NexTone Communications. All rights Cable Modem Cable Modem IMS Elements adopted and enhanced for Cable Other Access Point NAT & Firewall UE UE UE Local Network 12 Issues with IMS today Access differentiates IMS flavors IMS functions and value misunderstood Bridge from ‘legacy’ to IMS networks mostly underplayed Ignores Web 2.0 and non-SIP based sessions Focus on pieces inside ‘walled garden’ – not on interconnecting Not enough focus on applications CONFIDENTIAL © 2006, NexTone Communications. All rights 13 Access Defines IMS Components Visited Network SeGW + UNC P-CSCF + C-BGF WiFi (UMA) Internet WiMAX, WiFi BB Internet DSL BB Cable CONFIDENTIAL © 2006, NexTone Communications. All rights Home Network PDG + P-CSCF + C-BGF IMS Core A-BCF + C-BGF + P-CSCF P-CSCF + App Manager + C-BGF 14 Secure Border Function (SBF) Similar concept to a firewall Is alongside CSCF network elements Thwarts DoS/DDoS attacks Uses established techniques to do firewall/NAT traversal Adds previously non-existent Rate based Admission Control capabilities CONFIDENTIAL © 2006, NexTone Communications. All rights 15 SBF Logical Security Architecture Analytics/ Post-processing Reporting & Monitoring Alarming & Closed Loop Control Layer 7 – Application Call Admission Control with Authentication/Authorization Layer 5 – SIP SIP Control with Rate Admission Control Network based Correlation • Theft of service mitigation • SPAM/SPIT prevention •SIP Protocol vulnerabilities •DoS protection Layer 4 – TCP/UDP TCP/IP Stack in Operating System •Hardened OS •DoS protection Layer 3 - IP Packet Filter Layer 2 - Ethernet Queue/Buffer Management CONFIDENTIAL © 2006, NexToneSIGNALING Communications. All rights Packet rate mgmt MEDIA 16 SBF Consolidation of Functions Application SBC-S Access & Interconnect Session Management Access & Interconnectivity A-BCF PDG PDG WAP/WAG WAG WiFi CONFIDENTIAL © 2006, NexTone Communications. All rights WiMAX I-BCF SeGW BGF Edge UMA BB 17 Benefits of SBF Security for both signaling and media Signaling and media can be disaggregated or integrated Can be integrated with any signaling or media element to protect it Consolidates all access types CONFIDENTIAL © 2006, NexTone Communications. All rights 18 Thank You! For further comments and discussion: [email protected] www.nextone.com/blog CONFIDENTIAL © 2006, NexTone Communications. All rights 19